Mifare Desfire communication example

MiFare DESFire are iso14443A compliant contactless smartcards, and support all layers including iso14443-4. These cards are so-called “stored value” cards, so you cannot install and execute your own program code on DESFire cards. DESFire is like a memory card with access control.

Typical usage is within public transportation and access control.

DESFire cards are considered secure. Even though there are some theoretical security flaws, no public working hack has been published like there has been for Mifare classic (standard) cards. (The new DESFire EV1 cards are supposed to address the flaws found in v0.6).

Depending on the version of the card, a DESFire card might support commands in native, native-wrapped or iso7816-4 command set styles.

Example using a blank DESFire v0.6 card:

The first response denotes the hardware releated data: version is 0.2 (00 02), and storage size is 18 (4096 bytes)
The second response denotes the software releated data: version is 0.6 (00 06), and storage size is 18 (4096 bytes)
The X’s are the 7-byte UID
The Z’s are the 5-byte batch number
05 = Calendar week of production
06 = Production year

Get Application IDs:

--> 6a
<-- 00

No applications available (blank card)

Select PICC Application:

--> 5a 00 00 00
<-- 00

OK

Get File IDs (for PICC Application):

--> 6f
<-- 9d

Permission denied.

Get Key Settings (for PICC Application):

--> 45
<-- 00 0f 01

0f = All bits in the lower nibble are set, meaning configuration can be changed, CreateApplication/GetApplicationIDs/GetKeySettings can be performed without master key, and master key is changeable
01 = Only 1 key can exist for this application (the PICC application)

This example only showed authentication with the PICC application. In a real world transaction, you would typicall select a specific AID (!= 00 00 00), authenticate, and then read/write to files within that application.

After a successful authentication, further communication with the card is done in plain/plain+MAC/encrypted+MAC, depending on the access bits for the particular file.
Authentication is done using DES or Triple-DES, depending on keysize. If key is 8 bytes: Single DES. If key is 16 bytes, and the first 8 bytes of the key are different from the last 8 bytes: Triple-DES. The card terminal (PCD) always use DECRYPT_MODE (both when recieving and sending encrypted data), and the card always uses ENCRYPT_MODE. However, the DESFire crypto is a bit different from the normal DES/CBC scheme: The PCD uses DES “send mode” when sending data (xor before DES), and the card uses DES “recieve mode” when recieving data (xor after DES). But when the PCD recieves data, it uses normal DES/CBC mode (xor after DES), and the card uses normal DES send mode when sending data (xor before DES).

DESFire encryption:

Send encrypted data

Recieve encrypted data

PCD (DECRYPT)

DES/CBC “send mode”

Normal DES/CBC “recieve mode”

Card (ENCRYPT)

Normal DES/CBC “send mode”

DES/CBC “recieve mode”

The last 2 modes are useful if you need to communicate with a DESFire card through PC/SC, or you need to emulate DESFire on Java Cards.

947 responses to “Mifare Desfire communication example”

Hello.
Nice example but I’m not able to do any autentication with Desfire card.
I was trying to authenticate accordingly to nxp documentation but still get 0xAE error ( authentication failed ).
Looking at Your example above ( I guesss You utilized master PICC transport key which value as I know is equal 0 or better all bytes are 0’es )
I was trying to forget about the card🙂 and I assumed card responded on command “authenticate” ( 0x0A ) like in Your example “af a2 be cd 03 d8 46 cb 33”. So utilizing only autentication procedure and mentioned key value I should get APDU frame to card like in Your example again:

af b0 cc bc ed 8f c8 38 c9 08 dc e2 4d 86 ca ec 3c

Unfortunately , I’m not able to achieve the same result. Could You describe me step by step operations that led You to above APDU frame ?

Host then creates new array ARRAY2 (length 16), and copies its own random data (RANDOM_A) to bytes 0-7.

Bytes 8-15 are the decrypted RANDOM_B, but with a 1 byte left shift. So ARRAY2[15] = RANDOM_B[0]

ARRAY2 is then DECRYPTED using CBC SEND mode (not a normal CBC mode, and you will probably not find a standard library that does this for you. You may have to implement this CBC mode yourself using Single DES + xor).

Host then sends the decypted ARRAY2 to card: 0xAF + decrypted ARRAY2.

Card ENCRYPTS ARRAY2, and if RANDOM_B is correct (after a 1 byte right shift), it then does a 1 byte left shift of RANDOM_A, and ENCRYPTS the result using normal CBC Send mode.

Sorry, a little typo there, I meant you have to implement CBC mode yourself using _Triple_DES + xor.

XOR is a part of the CBC mode. See here how CBC works:

(The XOR operation is of course the circle with the cross inside.)

The CBC mode in this picture is the normal CBC send mode (as done by the card when sending data to host).
When receiving data, the card does the xor operation AFTER the “Block Cipher Encryption” step (but still using DES ENCRYPT).
Note that the card ALWAYS uses DES ENCRYPT mode (both when recieving and sending data). And the host ALWAYS uses DECRYPT mode.

So , as I understood this modified 3DES CBC decryption it is 3DES CBC decryption but with schema as for encryption. In other words, in first step
I xor iv with first 8 bytes of cryptogram ( for encryption schema it is first 8 bytes of text ) and do 3DES decryption. In next step, previously 8 decrypted bytes I xor ( it is new iv ) with next 8 bytes of cryptogram and do next 3DES decryption.

Could you please send me the “3des source code in C” if possible.
I have an algo. which gives decrypted output {0x39,0x34,0x51,0x2a,0xb2,0x3d,0x55,0x05}for input{0xa2,0xbe,0xcd,0x03,0xd8,0x46,0xcb,0x33}.

Hi ;
I created an application with ‘CA3333330F0A’ …Then I sent 90-0A-00-01-00-00 (begin authentication procedure)…
it responsed me 1D-A4-56-2E-78-43-F6-CB (encrypted rndB)
Now I should Decrypt and build Rondom B..
I am sending to picc 1D-A4-56-2E-78-43-F6-CB (encrypted rndB), it returned 67 00..it is wrong way.
How can I decrypt rndB?

Hi can you please help me on How can I communicate with DESFire using the other type of commands. I have successfully done it using this type of commands. But I am having a hard time using the commands with the

cls ins p1 p2 lc [data] le
90 [native ins] 00 00 lc [data] 00

SW1 SW2
91 [native status code]

I dont know what to put in the instruction code and the p1 p2 area.

I have two different readers Omnikey 5121 and Omnikey 5321. The 5121 doesn’t accept Native commands.

Hello Baron.
I utilize Omnikey CardMan 5121.
It works without problems in ISO7816-4 mode. What problems You have with it ? As mentioned in documentation P1 and P2 are always 0.
LE = 0 must be at the end of APDU frame.

Weither the operation is 3DES or singleDES depends on the size and format of the key. But it’s better to always use the 3DES algorithm, because that will work both as 3DES and SingleDES, and a 3DES operation is usually pretty fast anyway. For example: If your key is 16 bytes, and the first 8 bytes are equal to the last 8 bytes, then the effecive encryption will be single DES, even if you are using 3DES. 3DES is Single DES done 3 times: ENCRYPTION (using key bytes 1-8), DECRYPTION (using key bytes 9-16), and ENCRYPTION (using key bytes 17-24). So use 3DES and create code to “expand” the key. Let’s say your 3DES algorithm wants 24 byte keys: if the key is 8 bytes, then repeat these 8 bytes 2 times (SingleDES). If the keys is 16 bytes, then copy the first 8 bytes into bytes 17-24.

Hi,
To obtain the desfire documentation you will have to contact NXP. You will most likely have to sign NDAs (None Disclosure Agreements). I don’t have any documentation I can give away unfortunately. I haven’t signed any NDAs with NXP. All the information you can find in this blog is collected from other blogs and forums on the internet. What do you mean by “how can i communicate with it”? Do you have a card reader and know how to program against PC/SC? Make sure you have a contactless smartcard reader, like the Omnikey Cardman 5321 or similar which supports the PC/SC standard. Then write an application in C/Java (or other preferred language that has PC/SC bindings), and use the “native wrapped mode” or “ISO command set mode” to communicate with your Desfire card.

Hello again.
A lot of work I have done with Desfire card so far but now but in front of me many serious problems concerned with secure messaging as always🙂
First task – key changing
I created application with 5 3DES key on “good day”. Accordingly to documentation they should have 0’es values. Chnage mode to the keys I set in that way , key changing is possible if old key with the same number will be authenticated.
After application selection, I was trying to change key 1. Before operation I authenticated succesfully with old key 1 and in further step I issued “Change key” APDU sequence. Unfortunately , error 0x1E appeared.
What could went wrong ?
1) Autentication was succesfull so I assume session 3DES key I calculated ok
2) Myabe CRC16 ? I found different ways of calculating it even with the same generator. Could anybody confirm that CRC16 for 16 bytes, each of 0 value ( default value of old 3DES key ) , is equal 0xAFA9 ?
I put it 0xA9 0xAF in APDU buffer LSB MSB. Correct ?
3) 3DES calculation of data. It is normal 3DES encryption in CBC mode with IV = 0 ? ( data to be encrypted is “new key” || CRC16 || 0’s padding until 24 bytes )

I don’t have any document that describes all the commands unfortunately. I think such documents are only available under NDA’s. However, you can find many of the DESFire commands in the Nokia proprietary extension classes in the 6212 Java SDK. This SDK is free, but you need to register to download. Registration is of course also free.

I’m developing an application for a mifare DESFIRE card and a portable terminal from Ingenico (EFT930G Contactless).

I have done tests with SAM communications without problems (activating, selecting app, presenting the PIN…), I have also sent different commands to the card with good results: GetVersion (in order to get the card UID), GetApplicationIDs, SelectApplication…

My problem has appear when I’m trying to carry out the authentication process in order to get the session key.

I follow the first steps, but when I send the Authenticate Command to the card (with KeyID 0x01): 0x90, 0x0A, 0x00, 0x00, 0x01, 0x11, 0x00 the cards returns only 3 bytes, instead of 8.

I have tried many different things, as sending Additional Frame command (0x90, 0xAF, 0x00, 0x00, 0x00) in order to get the rest of the of the bytes, but the card always returns me the Command Aborted message: 91 CA

hi ridrix
i develope an application for Desfire card. the authentication with card is successfull and I can generate the session key.
bt I have a problem. How we can specify a key (rather than application master key) in the selected AID. osuppose that I want to set the value of key 1 to 0x00 0x11 0x22 0x33 0x44 0x55 0x66 0x77 0x00 0x11 0x22 0x33 0x44 0x55 0x66 0x77. and then set the access right of a data file to authenticated with this key. my question is general . how and when we can specify the application user file?
thanks in advance
Jafer

hi ridix,
I have created a application with 2 keys. with crypto mode Desfire Native. I need to change key for key entry 1 in the application. Since I have created application with change key access rights with 0x0E I need to authenticate with same key. The authentication is success and session key is generated, but later change key gives me an error 0x1E. I have calculated a CRC16 and appended to data frame and appended 00’s to make it multiple of 8. can anyone help me on this?

Hi, I am a newbie and I am trying to communicate with a DESFire card using an OMNIKey 5321 reader on VB6. I am able to follow all the communication samples and I am also able to do authentication. I request assistance on how to create an application on a new card and subsequently write and read standard files into the application created. Any assistance will be greatly appreciated. Thanks.

Try authenticating using master key ->0A 00 before the change key.
Please let me know if it works.
Also could you kindly share the CRC for your new key. I am having difficulty myself generating the CRC for the change key command.

hi Ridrix,
i have a Desfire MF3ICD41 card and wrote a C# program for authenticate with it; the default key is 0000000000000000
but i can’t authenticate with this card
may you give some test vector for my authenticate module (i sure that’s work correctly but i can’t authenticate yet)
please help me
regards

Hi Ridrix
I am trying to create files and read and write those files.
I succeed with the Data files, but with the record file I am receiving error “0xBE”.
I’m creating record file and can write the record file. On the Read Record command I’m receiving this error.
Command I send:”bb 07 01 00 00 03 00 00″ – as I understand it’s file 7 from read 3 ercords starting from record 1. This file have 3 records.
What is wrong here?
regards

Hi, guys.
I’ve a question for you. I’m using nokia 6212 in order to read a DESFire EV1 card personalized in ISO7816 wrapping mode; but I’ve some problem because the phone doesn’t detect the card. I use this code in targetDetected method:

if (classes[i].equals(Class.forName(“com.nokia.nfc.nxp.desfire.DESFireConnection”))) {
String url = target.getUrl(classes[i]);
conn = (ISO14443Connection)Connector.open(url);
The method Connector.open(url) is not capable to establish a connection. In case of APDU commands native, I thing the connection work. In other words, I think that is not possible to use the specific features of Ev1 chip, that is AES authentication, UID random and ATS configurable. Is it so? If not, how can I connect my 6212 phone to the chip Ev1 card in order to use the EV1 features?
Thank you in advance.

Hi!
I’ve found that the nokia 6212 cannot open connection only if the uid of desfire ev1 card is set to “uid random”; when I use a desfire ev1 card with uid in plain, the connection is ok. Now, I think the problem is of phone because the uid random not change after the RF-reset but then I don’t know why connection fails. Have you some idea?

Hi all
Iam new into card development.
I have dis Mifare 1K card.
iam able to get the UID but cannot get the authentication done.
I am trying read and write from the sectors but without authentication
it gives me 69 82 as response.
please help me
regards

Hi Vaishali, This error means security status not satisfied.
You should first select application on the SAM and on the PICC, then authenticate this application, and only when applications will be authenticated you will be able to read and write records.
Try to authenticate with master key 0.

I am trying to change the keyno 1 of my application but I get a 911E error, what means that CRC or padding must be wrong. I can authenticate to the master key and get the session key. Here I post the output of my program.

The session key is wrong.You have to authenticate with the old key.The first eight bytes are equal to the second half , therefore you have to build
the session key in the same way.The first half of the session key must be
equal to the second half.

I implemented almost the whole DESFire-spec in java and everything works fine (i.e. authentication with aes/des, create/delete aid, create/delete fids, write standard files) but I’m not able to change a key on application level. I’m creating an aid, a fid, standard file and write some bytes into it. Everything with standard key (i.e. 0x00…). Reading out the file does work also.

Now I implemented a changeKey-method which should work but always gives me 0x1E, i.e. “INTEGRITY_ERROR”. I’m using the standard java crc32 implementation. Authentication ist 0xAA, i.e. aes. But I also get 0x1E if I “corrupt” bytes of the ciphered key data block, so I’m not sure if my crc32 is not correct or the parameters are in the wrong order. According to the spec, its encrypt(aesKey(16), keyVersion(1), CRC32(4), padding(11)), right? Does java.util.zip.crc32 produce the correct crc? The exponents etc. should be correct, I even tried to XOR the bytes with 0xFF…

i’m developing a java application and i want to read files from a desfire ev1 card with AES protection. I began to reconstruct the way of authetification from the nxp application notes. i succesfuly can generate the reply from pcd (to picc’s) to the command 0x90 0xAA. Only problem is after i send (0x90 0xAF 0x00 0x00 0x32….) i get a IllegalArgumentException with “invalid apdu: length=38, b1=50”. In NXP documentation i read that length of command could be up to 64byte, so i think thats enough.
Thanks a lot for any help. And sorry for my english. If someone prefers german answer on my question thats no problem;)

I have been reading the Ev1 specification but I cannot undestand how the IV management works.

In the beginning we have Iv=0x00 … 0x00. Then we send something and the CMAC value gets a value, for example IV=0011223344556677. So how can I get the second part of the IV and get the new value IV=11223344556677XXXXXXXXXXXXXX ??????????

most apdu now working
but NOT ChangeKey <<<<<<<<<<<<<
which differs according to Native|Standard
may have iv pre-decrypt?
may require version ?
for key0 all zeros Session key 1sthalf=2ndhalf?
Standard uses crc32?
tried all, no changekey
working: MakeAID, read,write, even format works!
(I have a lot of test cards to play with!)

Hi to all,
I’m new to the smartcard Desfire programming.
Following the samples in the forum I was able to get the UID of the desfire card, but no success in the nex steps. Basically I wanna do:
1) Create application (other than 000000)
2) Set a new Key to the application( use application level keys, not the master PICC)
3) Create a new file within the application
4) Being able to read the app/file created in the 1~3.
Can some body provide a source code in c/c++, so I can see how it is done?
Thank you in advance and any help is very welcome.

I am facing exactly same error mentioned in one of yours previous message (msg at the end).

I can successfully authenticate and create the session key. But I am not able to change PICC MASTER KEY.

Already tried Mustafa suggestion to use sessionkey with first 8 bytes equals to last 8 bytes. Same result (91 1E).

No idea what is the correct process to be able to debug/resolve this issue.

Have you been able to figure this out? If so, what was the problem?

Thank you ver very much!

I will post a new msg with the complete APDU log for my communication.

Thanks

Bruno

Slightly difference from your code is regarding the CRC16. I am appending only 2 bytes after the new key. And you are appending twice. Any problem with this? What is the correct way?

“##BEGIN##”

Gorka Says:
December 15, 2010 at 17:24

Hi,

I am trying to change the keyno 1 of my application but I get a 911E error, what means that CRC or padding must be wrong. I can authenticate to the master key and get the session key. Here I post the output of my program.

At this point, the Card decipher RndB, execute a left shit and compare with its own RndB.
If its okay, it decipher RndA, execute a left shit and cipher with same key (0x00).
So, the response is RndA (left-shifted) ciphered by the card:

RndA (left-shifted and ciphered) = 39 B4 6B 2B 05 45 3B 72

2.6 The program (my program) decipher RndA using key 0x00 and execute a right shift

1.When you build the session key you must take care that the first eight
bytes are equal to the second byte.The reson is that the default key
all zeroes also has the first eight bytes equal with the last eight
bytes.
2.When you send the new key you have to use CBC with single DES
decryption.That Means: You have to exor the fisrt eight bytes of the
new key with IV=00 00 00 00 00 00 00 00,than single DES decrypt the
result(using the session key built like mentioned under point 1) and
send it to PICC ,than exor this result with the second eight bytes of
the new key and single DES decrypt it and send it to PICC, the
result you have to exor with two bytes CRC with padding zeroes (six
bytes) and single DES it and send it to the PICC.

Hi Bruno,
the reason is that DES decryption you can use on eight byte blocks only.When you change the key it is 16 bytes long plus you have to build CRC16 (two byts long) and you have to pad it to eight bytes with six zeroes.That means you have to send three blocks each eight bytes long to the PICC.To send three blocks you have to chain them (this method is called CBC chaining).
For this operation you need to logical XOR the result of the
plain data with the result of the foregoing decryption and then decrypt it (DES or 3 DES according key type).And at the first block you use the initial vector 00 00 00 00 00 00 00 00.

First of all, the key I had to change was the key #1 of my application. I tell you that because the CRC16 depends on the change you want to change. As you can read in the DESFire specification, it is not the same if the key you want to change is the one used in the authentication (that is your case since you are working with the master key) or it is another key from the keyset. In the first key you have to add only two CRC bytes and in the second one 4 bytes (I think it was that way, take a look at this point)

The problem I used to have was on the encryption. I was not encrypting the data in the correct way (you know, all the xor before DES thing). Once I corrected that, it worked. If you don´t know what I mean try to send more than 8 bytes of data over an encrypted channel. If you can´t do that, you probable are not doing that ok.

OK Bruno,
let mexplain more detailed.First of all the main thing is if the first half of the key you use is equal to the second half you use single DES for decryption.If the first half different from the second half you use triple DES for decryption.The first half of the default key all zeroes is practically equal to second half so you use single DES for decryption.Now assume your session key after successfully authentication is A4 24 63 B7 1C EC 85 0F (these are sample data and not real )and the key you want to use is : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F .
The CRC16 for this key is 77 F5 .Now you have to send following blocks to the PICC :
1. Block 00 01 02 03 04 05 06 07
2. Block 08 09 0A 0B 0C 0D 0E 0F
3. Block 77 F5 00 00 00 00 00 00
When sending you have to chain them together using CBC rules.You have to build logical XOR byte for byte with 00 00 00 00 00 00 00 00.The
result is the first block itself.This you have DES decrypt (single DES ,
decrypt only once).Build the XOR with the result of it and second block
(08 09 0A 0B 0C 0D 0E 0F).Then DES decrypt it (only once again).Build
the XOR with the rsult and last block (77 F5 00 00 00 00 00 00) and
Des decrypt it.Now you have to send thes data in the same sequence you
build them to the PICC.

Mustafa, I just authenticated to the card to get a “real” session key and provide mor information to validate my code for Decrypt using CBC.

After Authentication, I have the RandomA and RandomB (already validated with mutual auth).

Here they are:

RandomA = 9F CA 40 0F 3F AA 65 AC
RandomB = 21 82 A9 52 D0 C9 64 02

In order to change the master key from all 0s. What session key should be generated?

1. DES Key (RndA 1st half + RndB 1st half)
9F CA 40 0F D0 C9 64 02

Is that correct?

Need to figure this out first before go forward. I am also having problem to achieve the same CRC16 as you for the new key in your example (code is in C#). But I am forcing the CRC16 now and later on I will go through this.

Bruno,
you have written right thing (RndA 1st half + RndB 1st half) but
you made wrong thing , the session key for single des decryption
is : 9F CA 40 0F 21 82 A9 52.For building CRC don’t worry.There
are many codes on internet.

Okay, now I have the correct SessionKey. I will use for now the CRC16 as you mentioned and later on gather something from internet.

Moving forward:

Here I will get a new session key from the card and ask if you can help me to validate my single DES operations. I.E. I will send unenvrypted and encrypted data to check if you can get same results (to be able to validate my code).

6. Single DES Decrypt Operation using previous Session Key and IV (here is another question — Should I use the IV generated in previous step #4 ? Or should I use the result data (xorB1Decrypted) as IV?)

Bruno,
Hi, i am also working on a desfire cards in C# and am stuck on changing the keys, i have got the encryption stuff working so if i plug in this data i get the correct data out, however i still get a data integrity error. I am pretty sure i have generated the session key correctly, i took the first 4 bytes of the RND-A and appended the first 4 bytes of RND-B to them. However when i substitute in the ACTUAL session key i generated from authentication, it doesn’t work. The only difference i can think of is possibly the fact that i authenticated with the application using triple des instead of single des, while still attempting to use single des in the change key command. So i was wondering if when you got this working you authenticated with the application using triple des or single des.
I tried authenticating using single des to rule out this possibility but i get an authentication failed error.
Any help would be great, thanks
Zack

I would really like to, but unfortunatly i really don’t have time for any extra projects, and the code i will be merging this into is very “specialized” (read: old and horrible). maybe later on down the line though.

Hi, sorry took so long to reply, send the notification to the wrong bloody address. I have got authentication working, and i have been trying to do stuff like change the key settings and changing the actual key. To fit with the comments you were posting previously i am now testing with the changekey function. I have actually got the code to the point where if i plug in the data you were using i get the data you guys were saying was correct, and am still get an integrity error. If you want to send me that code you can send it to spudsmcghee@yahoo.co.uk and also i am using EV1 cards.

Hi Bruno,
I have written DES for myself and I used standard C and GNU compiler.
Following link may be useful (http://www.aci.net/kalliste/homepage.html).
I didn’t used APDU but I have sent native changekey command and the
three blocks.
Good luck

Hello,
I’m having some problems with the use of the session key.
What I am doing is reading a standard data file that has zeros for data, and trying to reproduce the generated MAC.
Here is a sample log of the commands I am sending

Hi Felippe,
1.What is your key 0, is it the default key all zeroes.The general rule is
if the first half of the key is equal to the second half you use single DES.
If the fist half is different from the second half you have to use 3 DES.
2.When you send data to PICC you use DES or 3DES decryption because
PICC always make encryption.When you build MAC you have to use
DES or 3DES encryption.
3.When you want to build the MAC you have to chain eight byte long
blocks of data.You have to build the logical XOR of the first eight byte
with IV(00 00 00 00 00 00 00 00) then DES or 3DES encrypt it.Then
you have to build the logical XOR of the result with the the second eight
byte and DES or 3DES encrypt it.The first four bytes of the result is
your MAC.

According the data you have given the session key should be
00112233BBBCF23D.To build MAC you should use single DES encrypt not
decrypt and you should chain the two blocks using CBC as mentioned before.

I am asking for 8 bytes, meaning that I should only receive 1 block. The response from the PICC is

PICC: 00000000000000007CEC960D9100

This, as I understand it, means that the data is 8 bytes of zeroes (1 block) followed by the 4 byte MAC which would be 7CEC960D.

This would mean that if I XOR the first and only block of data with the IV I would still get 0000000000000000. If I encrypt that with the session key, I receive 0xFA2B513202BD66A0, which does not match the received MAC. Could you please point to where I am making a mistake?

Unfortunately there are few C# resources when it comes to DESFire.
Here is a short explanation of the authentication process.

The PICC will send the application an 8 byte random number encrypted with the master key. The default master key is 0000000000000000 0000000000000000. Because both halves are the same, it is a single DES key and the session key produced will also be a single DES key. The IV is 0000000000000000.

The tricky part with the authentication is to make sure the application decrpyts when sending the response. And make sure you use CBC-Send mode.

You will receive e(B). Then you will send a 2 block message containing A followed by B’.
Decrypted, the first block will be D1 = d(A xor B) followed by D2 = d(D1 xor B’).
The response from the PICC will be e(A’^B’).

William,
Apparently I gave you the wrong answer and might have led you down a path of much frustration. So in hopes that you do read this, when you reply to the PICC’s first response to the 0A command, reset the IV to 0000000000000000.

So your transactions should look like this.

PCD: 0A00
PICC: AF e(B)

PCD: AF (e(A)) (e(e(A) xor B’))
PICC: 00 e(A’)

your session key will then be the first 4 bytes of A followed by the first four bytes of B.

Thanks for your reply and following up. Finally, i succeed to authentication step.

By the way, do you know the cmd/Auth/others difference between the desfire (D40) and desfire ev1 (D41). As i only can find the Specification of D40. Can i develop the program according this specification? Thanks.

I haven’t been able to get the D41 functional spec either. You have to sign a NDA with NXP if you want those documents, and they can at times not be very helpful. However, you can find a lot of the details in the libfreefare source. http://code.google.com/p/nfc-tools/wiki/libfreefare

Mustafa,
Have you been able to perform a change of key or any operation that uses the session key?
Could you please post a log of such a transaction starting with the authorization using master key zeroes?
Thank you

Can someone please help me. I have read every comment on this blog and other forums and still can’t seem to get anything that uses the session key working. I even looked through the libfreefare source and I could swear I am doing the exact same thing, but mine just doesn’t work.

I think i might be interpreting my values of A and B wrong and therefore generating the wrong session key, so could someone please look over this and tell me what the session key from this authentication would be?

Hi Felipe,
what do yo want to do with sessionkey?
I think your decryption algorithm is O.K.
Otherwise you wouldn’t be able to authenticate and
you wouldn’t get the answer: 00 6FA0F01F9BEBB5C6.
To build the session key you get first 4 bytes of
random A put first 4 bytes of random B then last 4
bytes of random A and last 4 bytes of random B.
If you wish send the complete data,I mean not only
data coming from the PICC also the single DES
decrypted data,so I can check them.
of

Hi Mustafa,
I am still having the same problems from last week. No operation that uses the session key seems to work correctly. reading/writing encrypted or MACed data, changing keys, etc…
I am using the session key generated by combining the first halves of randA an randB. Here is another full trace where I create and then read 2 bytes from an encrypted file.

The card is a brand new Mifare DESFire EV1 with one application FFFFFF, max 5 keys, access rights EF in it.
The master key of application FF FF FF is the default, all zeroes.

As you can see, decrypting EC3B5DE6C61F8821 with key 01234567A42F3E84, gives 41C415038EFE212B. This is clearly wrong since the block should be bytes of data, followed by 2 bytes of CRC and then padded with zeros.

just in case it might be relevant, here is what I receive when I perform a getVersion command.

Felipe,
your B is correct,but there is something wrong with your decryption of A.Are you sure that you get:
0430D763E80E431A when you decrypt: 0123456789ABCDEF,
because I’m getting different data.
Another thing is that you have chain both blocks of
byte using CBC before sending them to thePICC.But
first try to fix the problem with decrypting of A.
For this I’m getting : 3B 73 A1 53 75 7B 1A D8

wow,
thank you so much mustafa.
Here is what I was doing wrong in case anyone out there is having the same issue.
The IV never carries over from previous messages sent, it is always reset to 00000000000000.

So after the first decryption of e(B), what I did was keep B as the IV, then sending D1 = d(A xor B) to the PICC followed by D2 = d(D1 xor B’). What is truly curious is that the PICC’s response, in my line of thinking was valid. What the PICC was actually responding was e(A’), but I thought the PICC was responding A’ ^ B’, since B’ was, i thought, the IV.
Now, A’ xor B’ = (A xor B)’.

Sent: 90AF00002700000000200000491E890DE9ACE9320AA0DF24E9FE9CECF5B9424D66190FFD9C0695F2AB5DD7BC00
got …917E LENGTH_ERROR Length of command string invalid…
the apdu is OK what can they mean by “command String”??
Previous 90AF sends to PLAIN files went OK
Whatever I put in the data I get 917E, ie its not a decryption problem…

The CRC is CRC16, the implementation is a bit odd, you can find it in the ISO 14443-3 specification. That is probably what is giving you the error. Also, try first sending a small message so that you don’t have to send additional frames.

After some time I am now back to DESFire and I want to do some tests with SAM modules, where the keys of the reader will be hosted. I already have some SAMv2 modules and readers ready to work with them.

I have completed many times DESFire authentications, so I know the procedure. I also have read the SAM specification and communicate with it sending for instance the GetVersion command and getting the correct answer. I also know how the DESFire_Authenticate command works.

So now, my problem is that I don´t know how to make the DESFire tag and the SAM module work together. What I want is that when the reader detects a new tag to try to authenticate it using the keys that are stores in the SAM module.

Just for you to know, I am using Gemalto´s GemProx PU reader, which has 2 SAM slots

Unfortunately, I can’t really help you. But I would like to know how you obtained the SAM functional specification. Did you sign an NDA with NXP? If not, could you please tell me where I can find it? I’ve been trying to get a copy of the spec from NXP but they have been less than helpful.

Hi Gorka,
it is similar like communicating with Desfire directly.
The only difference is that you don’t need to make all
the decryption work for yourself but let it make the SAM module.You send the authentication command to the Desfire card,the answer which is encrypted RndB you
forward to the SAM module.From the SAM module you
will get decrypted RndA+RndB’ which you forward to the
Desfire card.This goes on until you get from the
Desfire card that the authentication is complete.Now
if you want to communicate encrypted with the Desfire
card you have first to send the plain data to the SAM
module and get the encrypted data which you forward to
the Desfire card.And send the encrypted data to the
SAM module to let it decrypt by the SAM module.

Thanks for your response. Yes, I supposed it should be that way, the problem I have is that I don´t know how to forward the challenge I get from the tag to the SAM directly without having to type it by myself. I guess somehow I have to install a script or something in the reader.

Anyway, I guess that what I have to read about is the reader, and not the specs of the DESFire and the SAM, because the problem is not in the commands I have to send to them, but in the way to communicate with both at the same time.

I forgot something. I don´t know what reader have you used, but I guess the way to work should be similar. Right now I am using the GUI application they gave me. So what I do is to initialize the 14443-A and the SAM module and complete all the Select procedure. Next I send an authentication request command to the tag, I get the challenge and then I copy it and paste it inside the command I send to the SAM. I get the response, copy it and paste it to the 14443-A management page, etc.

What I want to do obviously is to make all this procedure automatic, so that I don´t have to copy the responses by myself. How can I do that, with some kind of script, or application in C++ using the API they gave me?? In that case, I guess I should have to connect to the COM port where the reader is and then start sending Request commands until I detect a tag and send all the commands from the tag to the SAM and viceversa. Is that correct?

Hi Gorka ,
I have used my own reader and programmed the
microcontroller by myself.For you are using the Gemalto
reader you can communicate with it via com port.You
must have got a protocol containing the command with
which you can program the reader.
Good luck.

I have some trouble while Read/Write data to a standard file on the Desfire Ev1 card. When i using the DES key (default key) to Read/Write a file with communication setting (0x03), it seems good. I can Read/Write though the DES encryption. But while i change the key to 3DES. There is a problem. Here is my log.

The message you are sending is correct. Which means that the session key you are using is not right. Could you post a log of the authentication, and the session key you believe you generate. Also, be aware that the formatting in these comments has some quirks, so try not to use less than and greater than signs.

The reason you receive the data in plain mode when you read the file is because the access rights of the file are set to EEEE. This means that there is free access for to every operation on the file. Try setting the access rights to a specific key and you shouldn’t have a problem.

Hi
My project is creating a mobile payment application with NFC.We bought a reader (Obid Classic-pro(HF) ID Cpr40.30-usb) and Mifare tags. I am using Mifare DESFire because i think it is the most adequate transponder for payment. My problem is i am not able to run the DESFire commands because of the crypto processing errors. According to my reader’s manual, the reason of error is transponder. Desfire error codes which i am getting is usually 0x9D, 0xA0, 0x1C. I am using AES keys for authentication. I will send a video to you (The link is below). I am doing the same things exactly with the man in the video but he can run read and write processes successfully, i can’t because of the errors that i mentioned before.

1. 8D means number of keys (it defines how many keys can
be stored within this application).
2. Meaning of application masterkey (0X0F) :
Bit7-Bit4 :
0X00 :Application masterkey
authentication is necessary to
change any key (default)
0X01-0X0D :Authentication with the specified
key is neccassary to change the key
0X0E :Authentication with the key to be
change is necessary to change the key
0X0F :All keys within this applications are
frozen

does anybody have some hints how to calculate a CMAC with AES Cipher in Java. I tried to follow an example from NXP with the SDK from bouncycastle but i wasn’t able to get the right values. I would be very grateful.

This blog is very interesting. I have found no more information on APDU commands on internet, thanks for your work.
I’m working on this kind of project. I need help. I hope you could read this.
Here are two file settings.

the reason why the card has to send e(A’) is to assure the reader that the card has the appropriate key. If someone were to be monitoring the communication between card and reader, they could use the same B (generated by the card) every time. And without knowing the key, complete a successful authentication. If the Card has to send e(B’) then knowledge of the key is necessary.

From beginning i would like to thank you all, especially Ridrix for all the information above. And of course I need help😉. It’s about documentation, I have ISO 7816-1,4,6,7,8,9, I have access to the NXP documentation. About NXP documentation, I don’t know which documents are relevant for me. I’m working with DESFire EV1, and so far I consider being important on NXP just these documents:

[…] Desfire cards to be used with PCSC readers. It is based on Desfire Functional Specification and this post has been very helpful. More news coming soon. Share this:TwitterFacebookLike this:LikeBe the […]

First of all thanks for that blog that definitely helped me a lot.
Yet I still have an issue…

I’ve successfully performed an authentication (after PICC selection) with key-00, retrieved the key settings (0x0f) and I now would like to change it to 0x0e with the ChangeKeySettings command and I constantly get the INTEGRITY_ERROR (0x1e)… whatever I try.

Hi
Yes you should single DES encrypt with the session key.But your session key is wrong.
If the first half of the key you are authenticating with is equal to the second half of the key,you have to build your session key eight byte long.For you are using the default key all zeroes the first half is equal to the second half.For building the session key you have to put the first half of RndA and RndB together and use this session key for single DES
encrypting.
Good Lock.
Mustafa Moripek

For your interest. I’ve found the problem: The not (or bad) document IV-handling. In DES Authentication you reset the IV always to 0x00. In AES your IV for your encryption is the Enc(RndB) and for Decryption of RndA’ u use crypto_2.

I’m playing with Desfire EV1. DES/3DES authentication and data handling is working perfect. I manage to change MasterKey to AES (for MasterKey it will be key no $80), but now I’m not able to login into my card anymore.

Bruno,
you can use the SCardGetStatusChange function to check the status of the reader, and check if a card is present or not. by doing this you can keep track of the state of lots of readers at the same time really easily.
Zack

Hello: I’ve written a Python implementation (an example) of AES-128 simmetric key diversification as described in document AN10922. In case you think it might be useful, here’s the link: https://gist.github.com/1409585

I am new in smartcard programming and I ve got some trouble on Mifare DESFire ISO wrapping. The point is that I seems to have additionnal bytes on my response APDU. Namely on an application linked to 3 AES keys for a Get key settings command :

cmd > 9045000000
resp 9045000000
resp< 0F83E524DE703EA850BD9100

While I am expecting to have
1byte for key settings || 1 byte for max No of key || MAC data

Hi Amilla,
I think ,in your case,the key number you are authenticating with is the same as the key you want to change .So you have to proceed as follows:
A two byte CRC is calculated over the new key data(16 bytes) and appended at the end.For the DES/3DES encryption is made using with frames of 8 bytes you must pad your data with 6 zeroes.Your
plain data should look like this:

[16 Bytes new key][2 Bytes CRC 00 00 00 00 00 00]

Now you should DES encrypt this data with the session key.
Good Luck
Mustafa

Hi Amilla,
1E means either your CRC is wrong or your MAC is not correct.To calculate MAC you have to proceed as follows:
1.You have to exor the first byte (01 01 01 01 01 01 01 01) with
IV all zeroes,and 3DES encrypt it with session key.
2.You have to exor the second byte (01 01 01 01 01 01 01 01) with
the result of the first step, and 3DES encrypt it with session key.
3.You have to exor the third byte (CRC1 CRC2 00 00 00 00 00 00) with
the result of the second step, and 3DES encrypt it with session key.
4.You append all of them to your command c4 00.

Hi Mustapha,
I am using PC/SC Diag from http://www.springcard.com/solutions/pcsc.html
which is as they say a “quick’n’dirty software to exchange APDU”…
Please can you help me on this.
I’ve also got issue on ChangeKey. I am using AuthenticateIso cmd and key number used for authentication is the same as the key number to be changed
3DES session key is F6C87AD0F4AD5CA52FBE35F612B442C6
New key + CRC32 + Pad = 1111111111111111111111111111111168C9375800000000 => enciphered = E50E3E54226C67EE1CBE3881542E59A7AAAB6E5810306806
The overall (wrapped) command is
90C400001900E50E3E54226C67EE1CBE3881542E59A7AAAB6E581030680600
I got AE(authentication error)response status.
I’ve successfully authenticate before performing ChangeKey so I don’t get it. Any idea ?
Thanks in advance for your answer.

Hi Amanda,
As far as I can see, there are two mistakes.
1.The first half of your key is equal to the second half,so you
have to use DES encryption and not 3DES.
2.You should use CRC16 and not CRC32.
Try to fix the issues.If there are still problems write down all the communication between reader and the card.
Godd luck.
Mustafa

I have two applications and each application has one standard file. For doing a specific function I have to update the both files in both application. How can we grantee the Atomic transaction of this function. It may be failed to update the second file once first has done successfully, due to RF signal issue or some other reason. How can we handle such situations, is there any native support from Desfire or we have to use some tricky things to handle this. If you have any idea please share.

High Amila,
the only way to be sure that the transaction has been executed successfully is to read the files after write operation.But the Desfire has a property which enables you that the file doesn’t get destroyed during any write operation because of RF failure.During value operations, add or subtract operations, you have to send commit transaction command.Until that time the original data remains in their original values.The same thing you can make with plain data if you use backup data file instead of standard data file.For all changes are made in a mirror place you have to open your backup data file with double the length of your normal file.
I hope this information helps you.
Good luck
Mustafa Moripek

Is there any crc16 implementation that can use inside the javacard applet. Since most of the crc implementation use int variables and cannot use them inside the javacard applet, Do you have any idea to overcome this ?

my name is Jan Lazar
i’m not able to use MFDESFire8 library with AES encription,
my reader is OMNIKEY CardMan 5321 USB Reader,
with brand new card just CRM_3DES_ISO, CRM_3DES_DF4 are working for following bit of code.
i’m not able use CRM_AES, CRM_3K3DES

I am working on to change my all the logic to AES. When I send the first authentication command it gives AE. I know default cryptography is TDES. But I need to know how to change it to AES both PICC keys and Application keys. Can you please advice me to start authentication work with AES.

AES authentication is succeeded. Now I am working on writing data to standard file with ciphered. In that case I couldn’t find a crc32 implementation yet. Can you please advice me to overcome this issue ?

I used the Java crc32 method. But you have to prepare the result to get the result the Card expects. If you use Java i could Show you my Code which works. (und wenn du (besser) deutsch sprichst kann ich auch gerne auf deutsch Antworten;) )

Its working fine in my program with the method code i posted before.
I get the same result After using the Java crc32 method. You have to prepare this result (the two for-Blocks in my code). First you have to invert it so you get (FF FF FF FF) A5 CD 0A 28 and then you have to read it from right to left (but always two numbers together). Then you get the crc32 value like in your example from the nxp document.
I Hope you understand my Description. I’m Sorry for my english;)

Again thank you very much for the support….
I think something has gone wrong when copying the code in the text area, I am getting result as d7 f5 32 5a(Before invert). Can you please email the code snippet to me.. my email is godwinamila@gmail.com

Hi ADAM TSL,
in case the key number you use for authentication is different from the key number to be changed and change key key is set to a value not equal to 0X0E you have to generate the deciphered key data like follows:
The new key and the current key are bitwise Xored (16 byte).CRC (2 byte) is calculated over the Xored data and appended at the end.Additionally a CRC (2 byte) of the new key is appended and after padding of zeroes (4 byte) DES/3DES deciphering operation is performed on the whole data.The three cryptogram blocks are chained using CBC send mode.
Good luck

I have a problem with Desfire Diversification, I don’t have NXP SAM AV2, I am trying to implement all the cryptographic operations including diversification in software level. The Desfire Card I am communicating with is working with real hardware SAM but not with my software SAM. Can u verify my following output,

Look for NXP document AN10922 in google. This document is public and describe in details proper diversification process (compatible with SAM) for various cards. You will find there also some examples so you can test your code.

Hello ridrix,
I found your forum very interesting and helpful.
Unfortunately we are working with Elatecs TWN3 Mifare NFC transponder that offers DESFire cards support.
The support we got from Elatecs developers they stated that the communication with DESFire cards is done using this syntax:
t0F
data is created using ISO14443-4 protocol frame and that we have to place the DESFire protocol data into the INF-field using I-Blocks.

Could you please provide us with an example of how we could authenticate? We would greatly appreciate it.

But i always get strange results… and i cant figure out why. I would love some points how to fix it.
Exemple how my decryption looks like:
i get the input:
AF EA 18 DE FF 52 0E CD
And after deciphering its: 43 DA 7C 69 DE 5F D0 6F
Is that correct?

Hello i am new here, Please tell me How to load an application on desfire card?now i am using SCM Microsystem’s Card Reader to communicate with the desifre card.
i want to load a small C code on the card for encryption.
and also provide the link for desfire memory organization..
thanks in Advance..

I am newbie for smart card but I’ve successfully authenticated using DES. Now I am trying for AES, and when I request Random B(16 bytes) from PICC, it gives me AE. The card is a new blank card with default keys and settings.
->aa00
0a00
1a00
<-AF871081A8BDB379E1

Even thou I don't know the 1a00 command, I just used 0a00 for requesting Random B.

Hi Gabriel,
Error code 1E means CRC error.I have checked your CRC, it is
correct.I have checked your data with the session key you have
given,your calculating of CBC parts are all correct.The only issue
can be tahat your session key is not correct and the PICC calculates
wrong CRC.
Check your code part which builds the session key.
Good luck.
Mustafa

How did you solved the session key problem to change the master key to AES ? Im using C# and I am able to change to 3DES. But now im preparing to move to AES (restarting this project after 1 year or so😉 )

Hi Mustafa,
I now have successfully changed default DES key to TDES keys and AES keys. Although DES and TDES authentication is alright, I have problem in AES authentication. I did refer to previous QnA posted about AES authentication but still in vain. Could you please point out what I did wrong for this authentication.

Just do the XOR yourself and call the DES routine with a NULL IV every time. Use the crypted output of each block as the source data for the XOR of the next block (i.e. you are effectively maintaining your own IV).

I made another try
select picc
autenticate picc 0x00 … 0x00
format picc (so i can repeat my test without so much work)
i create an app 01
selecte 01 app
autenticate with key 0x00
change key to 0xff .. 0xff
autenticate again with key 0xff
changed back to 0x00

enc/dec used allways des

i repeat the above test using 0x02 …0x02 key insted of 0xff .. 0xff
but when i try to autenticate again with key 0x02 i cant autenticate

Hi Andrea,
there is something wrong with encrypting RndA(all zeroes).
I have checked your data:
When encrypting RndA with the keys all FF or all 00 I get
exact the same numbers like you.But when I decrypt
RndA with the key all 02 I get following numbers:
3D 8A 71 E3 25 CE C2 96.
I hope this will help you to find the issue,good luck.
Mustafa

Hi Gabriel,
the authentication with AES keys are similar to authentication
with DES/3DES.You have to use command code 0XAA instead of
0X0A.For encryption you have to use AES algorithm.
You must use a tag with chip MF 3 IC D 41 ,tags with chip
MF 3 IC D 40 don’t support AES keys.
Good Luck
Mustafa

Hi Mustafa,
Sorry for my late reply (seems notification is not working properly).
The tag is with MF3ICD41, I can send the command 0xaa and get response(16 bytes rndB). What I am not clear is building session key. For DES, the session key is build with first nibble of rndA and first nibble of randB; for TDES, its first nibble of rndA+ first nibble of randB+second nibble of rndA+ second nibble of rndB. For AES, its randA and rndB is 16 bytes each, and do not know which nibble to manipulate.
Thanks and best regards,
Gabriel

I have succesfully authenticate the card using 0x00….. default key using DES/CBC/NoPadding mode.. and its ok.. here i needs to generate MAC for command data 00112233445566778899AABBCCDD0000(with padding) using 16byte key A908E976D518D0B9AE1D7F7A04CB0154 with 3DES standard encryption.. For check the validity i use example NXP Desfire EV1 features and Hints spec…

Can you help me in this matter….
I have successfully authenticate card with key version 0x00(master key all zeros)
Then i try simple commands including get Versions and settings.
Now I need to create applications and files… For that i am trying to use key version 00 as application key(AMK).
1 – Can i use CMK(Card Master Key) as Application master key..?
2 – How can i add more than one key versions to cards for used with applications and files..?(eg. Key 1 for app1 file1 write and read…..)
Please help me in this matter…..

What i need to know is….
1 – How can i define key version 0x01(1) with its value… any command….??
2 – When i change AMK(version 00) to version 0x01(another key) can i use above oxo1 for another application or file.. Are both key versions exists in the card(After key change) to use for another purpose.. ???
Please help me…..

Hi Tom,
I think key versioning is not the right thing you are looking for.
Please download the application manual AN10922 of NXP
to read the details of key versioning.
You can create different keys for each application but you access
all the files in the same application with the same application
master key.
Mustafa

We have a task to send APDU command 90 60 00 00 00 and we get the answer 04 01 01 01 00 18 05 91 AF. This answer gives each Desfire card that is not personalized.
We have Multi iso RF Reader, with RS232 interface.
Dll functions in RFID READER DLL have features that communicate with the card in order to send commands and accepting responses (reader.RDR_DESFire command and reader.RDR_SendCommandGetData command). But when I send the required command, response card is its UID number, no what is expected. Do you have any examples about ways to communicate with Desfire EV1 card (initializacion, native APDU commands, extends native APDU commands…)and MULTI ISO READER?
Or, maybe, you help mi directly, in java code..

I got two serious(for me) questions to get clarify.. Not from elementary desfire card level but from implementation level.

1 – (Easy question) can we maintain file interconnection within same application inside desfire card…?(eg. one file used or update another file data inside same application)

2- Can we introduce a PIN(in card side), to restrict card access(or to restrict file access) by validating user input pin(eg. from terminal side) with original PIN inside the card….? And How..? Are any predefined structure(like OwnerPIN() in Java Card) for PIN management inside Desfire Card..?

Hi Tom,
I try to answer your questions.
1.You can interconnect different files in the same application.
In such a case I would configure the file settings in a way
that you need not to authenticate each time you want to access
any file.You only authenticate during selecting of the application.
2.You can create an aplication and in it a file where you can store
a PIN.The reader can read this number and compares it
with a keyed in number.Only on match of both numbers it
allows to proceed.
I hope this information helps you
Mustafa

Thank you very much for your answers and can you clarify me the following situation…

According to your provided procedure for implement PIN inside card do we need to provide restrictions in terminal level code or can we introduce some mechanism(inside card) to get access to the desired property of the card(eg.file access) when once we validate PIN with terminal input.

Hi Andy,
1-When authenticating with a Desfire card you have to use
the key which is inside the card.If you want to use another
key you have to change the key of the card with the
change key command.
If you want use 16 byte key you must pay attention which
algorithm you want to use.If you want to use single DES
then you have to make the first eight byte of the key
equal to the second eight byte.Otherwise you have to
use triple DES for encryption.
2-If you mean the card master key or application key,yes
you can use them each time you authenticate until you
change the key.But if you mean the session key ,it is
used only for one session.During authentication process
a session key is calculated and used for each encrypted
communication. In the next session a new session key will
be calculated.

Hi Tom ,
i think the issue is you try to change a new key in the way of changing an existing key.The key number 0X01 is a new key
and is 0X0000000000000000.So you have act accordingly.like you have changed the key number 0X00.
Mustafa

I solved the problem.. Thank you very much.. The point i miss is, when i create application with 14 keys, default all zero keys are filled to all new positions… Then i can solve the problem…
Thanks again..

Hi Mustafa,
I tried to change AES key of PICC master key and I receive 001E Error. Could you please help guide me which part has the problem. I inverted the CRC32 but still getting the same error.https://dl.dropbox.com/u/98005924/Change_AES_Key.txt
Thanks and best regards,
Gabriel

Hi….
I did the change key command successfully yesterday. Thank to this ridrix and you all. But, now i’m having big problem. All authentication steps were OK before i changed the key yesterday.
I changed the default key (0x00 16bytes) of key 0 to 0x11 11 11 11 22 22 22 22 33 33 33 33 44 44 44 44 after I selected AID 00 00 00. Then, my authentication got error which is 0xAE. Last time i used default key (0x00 8bytes) (using single DES) in every authentication and everything was fine. But now I can’t delete AID or format the card because I can’t authenticate with AID 00 00 00. Here is how i did.

Hi Gabriel,
I can’t send “AA 00” and “1A 00” to request RndB, i got error code 1C which is illegal command code. “0A 00” is the one i’m using now and it can request RndB and when i send 16 bytes of RndA and RndB, i got AE (authentication error) :(((

Hi Gabriel,
I think the issue is the second byte 0X80.The command format for
changing the key is:
Command Code (0XC4),Key number(0X00…0X0D),decrypted key data.
For you are trying to change the PICC master key the second byte
has to be 0X00.
Mustafa

Hi Mustafa,
Thanks for your suggestion. It still gives me same error(1E).Last time I changed PICC default master key(DES) to AES using command C4+80+deciphered key data. It is successful and I can authenticate. But cannot change existing AES to a new AES key.

There I found one more problem. I created an application CA 12 34 56 0F 0E and tried to change its default key(DES) to AES using C4+00+deciphered key data, it changed to TDES key rather than AES. I think I am missing some points for this change. Could you please help?
Thanks and Best Regards,
Gabriel

Hi Gabriel,
I don’t know whether you have solved the problem allready but I want to give you some suggestions.
1.I think you don’t need to exor the old key with the
new one.This you do if the number of the key you
change is different then the number you authenticate.
In your case you are trying to change the master key,
and therefore you authenticate with master key.
2.You have to add one byte key version and CRC32
calculated over the new key and padding.
3.You have to chain the blocks using CBC send mode.
Try these suggestions,I think you will be able to change
the key.
Good luck
Mustafa

Hi Fernando,
Since PICC’s default DES has been changed to TDES, I think, you may need to use TDES encryption method with your current key TDES 16 bytes for authentication.
TDES and DES authentication process is the same. Only encryption method differ.
Good Luck,
Gabriel

Hi, Gabriel. Thank for your explanation. I got my authentication working already. My authentication steps were wrong in the first place even though i authenticated successfully with my default key (0x00 16 bytes) last time. Now my authentication is OK even after i do change key.
But now, i got a problem in changekey again. I could change the key if the KeyNo used for authentication s the SAME as the keyNo to be changed. But i could not change a key if the KeyNo used for authentication is DIFFERENT from the KeyNo to be changed (or) the ChangeKey key setting is set not equal to 0xE. The error code is 0x1E. It is mentioned in Desfire datasheet that two sets of CRC16 are supposed to append behind 16 bytes data. I don’t know how to do change key command if the KeyNo are different. You can look at my first comment (Nov 9th) if you wanna know about how i do change key.

I have the same problem that after I changed the PICC master key, the authentication process failed. And I found that only when the former 8 bytes and the latter 8 bytes of the new key are different, the authentication process fails. Could you provide some information on how you solved this problem? I guess it should be the 3des decryption’s problem. Thanks very much!

Hi Fernando,
As I understand, the default key 16 zeros whose first 8 bytes zeros and last 8 bytes zeros are identical, you may use DES auth process(not TDES) to change to new key with 16 bytes whose first 8 bytes and second 8 bytes are different.
Good luck,
Gabriel

Hi Mustafa,
Thank you for your kind suggestions and attention. I haven’t yet solved that. I am confused with key versions. I checked the default key version it says 00, after I changed DES to TDES it says 55 and after I changed DES to AES it says 77. Should the command be C4+New AES Key+new AES key version+CRC32 of new AES key+ padding? And what should be the new AES key version in this case.
Thanks and Best Regards,
Gabriel

i have some questions about usage of Desfire 4K and SAM AV1 or SAM AV2. Can you comment to them please? i tried to select an application on SAM card. it responded with “6985” status words. it means “Conditions of use not satisfied”. i think i have to unlock it with Sam_AuthenticateHost . is it correct? What is the apdu command to do it? Actually i don’t know flow between SAM and Desfire Card to read/write data from DesfireCard. Could you explain it please? What does host mean exactly? does it refer to the contactless reader? i searched all of these issues but i couldn’t read data from desfire card yet.

I have new Desfire cards which have default key.. I can authenticate card using Native DES and success..
But when i try to authenticate PICC using AES, it gives filloeing error.. Can u advice me in this matter..
>>AA00
<<91AE

Hi Tom,
if the card, you are trying to authenticate,is a virgin
card the default key is a DES/TDES key.First you have to
change the key to an AES key then you can authenticate
using AES.For this you have proceed as follows:
Send following command to PICC: 0XC4 + 0X80 + DES/TDES decrypted key data.
The decrypted DES/TDES key data you build as follows:
IV= all zeroes
Result1 = IV exor of first half of DES/TDES dec( new key)
Result2 = Result1 exor second half of DES/TDES dec( new key)
Result3 = Result2 exor DES/TDES dec( CRC16 of new key +
padding)
After changing the key you cannot authenticate with command
0A,you will get error 1C (illegal command code).
I hopethis will help you to change your key.
Good luck.
Mustafa

I have successfully overcome the issue. Thank you very much.Now what i need to now is i tried to change AES key(PICC Master) inside the card. According to specs came from NXP they required to calculate crc32 over

ex crc32(C4 00 01020304050607080102030405060708 01)

My question is when i use ISO wrapped command style(CLA+INS+PI+P2…..) should i calculate crc32 over all components or just CLA and Key NO + data.. can you help me in this matter…..

Hi Mustafa,
RndA_D is not allready decrypted. RndA_D is a random generated key (by myself). I have rename it now to RndA. The TDES decryption algorithm works fine now (now i have the same result as you). the problem
was that i have encrypted rndB_E (i simply forgot it to change it back after
playing a little bit around). but now i am still not able to authenticate:

DES/TDES is working fine now. But now i want to try AES encryption. I allready change the key to a AES key (key# 0x80). Also I am able now to get RandomB with command 90 AA. Command 90 0A fails now, which is
also ok. (the old and new key is 00 00 … 00)
But the authenticate fails:

Hi Franz,
I’m also trying to authenticate using AES. I have shared authentication key.
I send authentication command (90 AA 00 00 01 00 00) and receive proper RandomB from card.
How to compute rndB, rndB_D, rndB_R, rndB_X, rndB_XD and how to compute next command, which should be sent to card?
Thanks for advice.

write your complete communication with the desfire
card in following order so I can see what is the issue:
Authentication key
Challenge to PICC (0A , Key No.)
Response of PICC (AF , Ek(RndB))
Challenge to PICC (AF , Dek(RndA+RndB’))
Response of PICC

Hi Ali,
Before sending data to PICC you have to decrypt it,
because PCD always decrypts and PICC always
encrypts.When decrypting you have to use Triple
DES algorythm for the first half (the first 8 bytes)
are not equal to the second half.When you send
data longer than 8 bytes you have use CBC send
mode.That means you have to exor the result
of the decryption of the first eight byte with the
second half and decrypt it.Your last challenge
should look like as follows :
90 AF 00 00 10 (Dec(RndA) + Dec(Dec(RndA)^RndB’)) 00
Good luck.
Mustafa

The 00 between Length(19) and 98 shouldn’t be there.
For you have written 19 as length you don’t get length
error,you get 1E (integrity error) which means the CRC
doesn’t match with the correct one.If you fix this I think
you wil get the key changed.
Mustafa

hi mustafa,
ı am trying to authenticate PICC level of Desfire EV1 with AES.I can authenticate created applications with AES but PICC level authentication returns me AE.
crc operations must be done but which steps ı must follow can you help me?

Hi Mustafa,and the other whole helpful follwer of the ridrix.
I am workimg on desfire ev1 cards with android.I have same problem as Cem.I can authneticate with both AES AND DES/3DES and can create applications with AES authenticaiton mode.But I have some problem to change keys especially picc key to communucate with AES.I am writing the steps I tried below:

Hi Mustafa,
Finally i Can create a file and write in it.
Thank you.
But i have my problem about change key yet.
I have a question in change key :
Should i do this steps :
1.Exor the first byte (01 01 01 01 01 01 01 01) with
IV all zeroes,and 3DES encrypt it with session key.
2.Exor the second byte (01 01 01 01 01 01 01 01) with
the result of the first step, and 3DES encrypt it with session key.
3.Exor the third byte (CRC1 CRC2 00 00 00 00 00 00) with
the result of the second step, and 3DES encrypt it with session key.
4.Append all of them to your command c4 00.
And if your answer is yes , would you mind tell me an example please.?

Hi Ali,
yes you have to proceed like you have discribed.With
following difference,you have to use 3DES decrypt.
PCD always decrypts and PICC always encrypts.
If you cannot change the key , write the complete
communication and I can verify your result.
Mustafa

Hi Ali,
I made a mistake when writing the APDU format.
The correct format is as follows :
90 Ins 00 00 Lc(Length of data=19) File No.(03)
24 Bytes of Data Le=00
But there are other mistakes.First I have checked
your data and realized that you didn’t use 3DES
decryption.Second issue is you are changing
key No.3 but you are authenticating with key No.1.
If the key number you are authenticating is
different then the key number you want to change
than you have to proceede as follows:
The new key and the current key are exored.
And CRC (2bytes) of the exored data is appened.
Additionaly CRC (2bytes) of the new key is
appended after padding with zeroes (4 bytes).After
this you proceede as you have done but use
3DES decryption for the first half of the session
key is not equal of the second half.
Good Luck
Mustafa

Hi Mustafa,
I am sorry for my inconvenience.
Thank you so much for your assist and guide .
Finally i can changed a key in native mode after many attempt and ask many question from you.
Without your help i can not success.
There is one problem that i have yet :
How can i calculate crc 16 and crc 32 of some data.
for example i have one function that i do not know its implementation.That Function calculate the crc 16 of data for me and i do not know how it work.For example that function give me
37 49
for : 00 00 00 00 00 00 00 00
I want to know how it work.
I try many online calculate for 00 00 00 00 00 00 00 00
But i can reach 37 49 from all of them.
Or How can i calculate the crc 32 of some data (I need That code or one comprehensive site that calculate it for me)
Please help me.

I have one question and it is so important for me to find answer of this:
In March 7th, 2011 at 16:56 T you tell Bruno :
(( to use is : 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F .
The CRC16 for this key is 77 F5 ))
I want to know how do you calculate it . That is the answer of my first question in January 22nd, 2013 at 13:57 .
Please help me.
Best Regards.
Ali

Hi Mustafa,
i used your code in C ,and C# compilers .
in both of them i received ( ffafa9af ) for (0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF )
While the i should received CC 69.
Here is my code :
Can you tell me what is my mistake?

Hi Mustafa,
Thank you for all of your helps.
Without you i do not think i can change keys in desfire.
But here is some problems :
I create an application with this setting 1f 08
( I explain the the following lines to another readers and i know you know all of them)

((( 1f 08 in setting : means in that application i have 8 keys that when
i want to change one of them (( except 0x01 =(the firs 4 bit in the 1f) and 0x00(=master key in application ) )) i should to authenticate with the key 0x01 and if i want to change 0x01 and 0x00 i should authenticate with master. )))

I can change key PICCMaster key and every keys in that application except 0x01 and 0x00.
for example when i want to change 0x01 i do this steps :
1) Select master
2 ) Authenticate PICCMaster and receive SesssionKey
3) Select that application
4) Used the decrypted ( NEW_KEY + CRC16 + 6 bytes PAD ) = 24 bytes with SesssionKey
5 ) I send this and i give 91 ae
And if i try this :

Hi Mustafa ,
Sorry for my inconvenience.
Finally i can change the Application Master Key and Changekey key.
But here is some problems :
I create an application with this setting 0f 08.
I can change every key, even 0x00 and 0x01.
But if I change 0x00 , when i want to change another key i receive 91 1e .
While the i can change the key before i changed 0x00.
I create an application with this setting : 1f 08.
And i can not change the key after changing ChangeKey key either.

Hi Ali,
bit 0 of PICC and bit 0 of application masterkey settingsbyte
defines wether the changing of the key is allowed or not.If it is
zero like in your case the key is frozen and you cannot change
it any more.You should use f9 if you want that the key is
changeable.
Mustafa

Hi Mustafa ,
Thanks.
I do a mistake in explain my problems.
I set it (the bit 0 ) to 1 for allowing change.
I set 0f in create application , for change a key i need to ayuthenticate with key 0x00 .
I can change any key with default MasterKey or default ChangeKey key , that means the bit 0 is not 0.
But if i Change the ChangeKey key or MasterKey and use it (the MasterKey or ChangeKEy key after changing ) for authenticate and create SessionKey , i did not change any key again .While the i can change it before change the MasteKey or ChangeKey key.

Hi Mustafa ,
I explain correctly what i do :
I create an application with this setting 1f 08.
For change key :(for example 0x03)
1)I select that Application.
2)Authenticate with keyNumber 0x01and attain the Sessionkey (16 bytes).
3)Xor the OldKey and NewKey of 0x03( the Key i want to change). = XoredData
4)Append the CRC16 of XoredData to XoredData.
5)Append Crc16 of NewKwey to XoredData .

MyData = XoredData + crc16 Xored data + crc16 NewKey.

6)Decryption MyData with the first byte of SessionKey.
I received 91 00 that means the key changed correctly.

But if I change the ChangeKey Key and if i want change a key (the Oldkey and Newkey are same the OldKey and NewKey of 0x03 ) i can not change it and i receive 91 1e .While the if i do this before change ChangeKey key , i can change it.
And it is my problem
Best Regards
Ali

Hi Ali,
I don’t know wether I have understand you correctly,
but I give you the rules for key setting,you may be able
to find the issue than.
The bits 7(MSB) to 4 are holding access right for changing
application keys.If those bytes are 0 it means you have
to authenticate with application master key.If it is between
0X01 to 0X0D authentication with this specified key is
neccessary to change any key.If it is 0X0E you have to
authenticate with same key you want to change.
I hope this info will help you to find the issue.
Mustafa

Hi Mustafa ,
Thanks.
I know it and i can change any key in native mode.
But if i change application master key or change key key , i can not change any key again.
I receive 91 1e.
I want to know if i change the application master or change key key is that effect in other keys or not?
And if it is not effect in other keys why give me 91 1e?
Can i send you my code?
Best regards
Ali

Hi Mustafa ,
I indebted you all of my knowledge about desfire functions .
Let me put it in other words :
Certainly you can change the application masterkey or changekey key.
Here is my question :
Can you change the other keys after change application masterkey or changekey key ?
Or you first change the other keys and then change the application MasterKey or ChnageKey key?( The job that i do it)
And if your answer be yes that mean you can change the other key after changing application MasterKey or ChangeKey key ,
Would you mind give me a real data that with that data you can correctly change keys after changing application MasterKey or ChangeKey key please?
Best Regards
Ali

I am getting problem to authenticate DesFire ev1 card with Master keys in Adroid (using TDES), I followed these steps
1. >> 905a00000300000000 (sending PICC selection Command )
<>900A0000010000
<< getting RndB
3. Then I deciphered RndB and Prepare RndB as per doc right shift
4. After that i generate RndA
5. then add RndA+RndB
6. Then Enciphered RndA+RndB and send to card
I am getting 901C Response from card, which is Illegal command .

I m using Iv(initial vector as 00000000) and masterkey for encipher and decipher, please help to solve this issue. I also tried with (default key(like 0000….). I dueled checked that enciphered and deciphered is giving the right value

Hi Arvind,
there are many issue in your data above.First thing is you
have to decrypt data before sending to PICC.PCD always
decrypts and PICC always encrypts.To your authenticate
command you have received 16 bytes response.If the
Desfire card is configured for DES/3DES algorithm you
get 8 byte response.If it is configured for AES algorithm
you get 16 bytes.To find out how it is configured make
following test: Send ‘Get key settings’ command to the
PICC:As response you will get two bytes.First byte is
key settings and second byte is Number of Keys.The two
MSB (bit7 and bit6) give the operation art.If they are 00
then the PICC is configured for DES/3DES if they are 01
then PICC is configured for 3K3DES and if they are 10
then the PICC is configured for AES.For AES you
authenticate with command 0XAA and for 3K3DES
you authenticate with command 0X1A.
Good Luck
Mustafa

Thanks Mustafa,
Its a copy and paste problem , I am pasting again that response. I checked key settings it shows 01, and I authenticate with 0x1A and following the response 1C (illegal command)
//Seletion of AID 010000
Command send 905a00000301000000
Response << 9100

Hi Arvind,
1C means illegal command code and you get
this answer when command code is not
suppoerted.For example if you send the
commnad 90 AF … before sending 90 1A you
get the answer 1C.Therefore I assume you
send something else between command 1A
and the AF.My mailaddress ismustafa.moripek@gmail.com .Send me the whole conversation between PCD and PICC so I can
try to find the issue.
Mustafa

I want to configure a blank desfire EV1 card directly to use AES mode.

I know I need to change the masterkey to AES.

I need some advise on concepts here.

1. In order to change the master key to AES, do I need to perform a 0x0A or 0xAA authentication ?

2. If I need to perform a 0xAA auth before change the masterkey to AES, do I need to changeKeysettings first?

3. If I need to perform a 0x0A auth before change the masterkey to AES, I need to tell the PICC the new key would be AES instead of 3DES. By reading NXP docs, this should be at the “KeyNumber” (First Parameter) to the change key. I have already tried that but it telss me 0x40 (no key found for that number).

Hi, i have exactly the same problem, also trying the GetFileIDs command.
I think that the session key is used for CMAC generation.
After session key generation, you also have to reset your IV to zero, but don’t do it after each cbc crypto operation, as it stays as it is between the new EV1 crypto methods.
I try to figure out whether you have to cmac the command byte you send to the PICC (for example getFileIDs, 0x6F). I think you have to do that, but the resulting cmac is not sent, only the command byte.
When i’m trying to verify the received mac, i dont know if only the data is cmaced, or also the status byte. If someone knows that, please answer🙂

where 00 is the status code, and 02 is a file id, rest is CMAC.
i tried CMACing 00 02 and got wrong results.
then i swapped data and status byte, which turned out to be right, i don’t know why. maybe my reader does APDU framing in the background so that actually the status byte is at the end? i don’t know… i’m using this one http://www.stronglink-rfid.com/en/rfid-modules/sl032.html

Hi Ali,
be means boundary error.In the file you try to read
are not as much records as you want to read.The
one you have written as number of records is MSB.
That means you want to read more then one million
records.
Mustafa

This is regarding Desfire SAM AV2. The Problem i unable to connect to SAM using normal PC/SC contact reader. can you please help me to solve this issue.

1 – Is there any specific hardware to connect Desfire SAM?
2 – Please share your view about SAM and their communication with PC/SC readers..
3 – Are there any source which describes the SAM Communication..

Hi Smith,
for I have built my own reader I don’t have any idea how
a PC/SC contact reader can read a SAM card.I used
information (user manual,datasheets) of the producer.
Try to get information from the producer of SAM.If you
have any specific problem later on I can try to help.
Good luck
Mustafa

Hi Mustafa.
Another question.
I want to change the file setting to 11 11 (change the access rights).
If my FileID be 0x03 and my ComSetting be 0x00.
I used this command:
90 5F 00 00 04 03 00 11 11 00
I send this and receive 91 7e(Length Error)
I do not know what is my mistake.
Please help me.

Hi Mustafa,
In ChangeFileSetting i have a problem.
when i set the change key access right to e ( free access) in create the file , i can change the file setting .
But if i set it to another byte 9for example 0x03) < and i want to change access rights afthe authenticate with the changeAccessrightKey (0x03 in here) i receive 91 7e Can you heipme

I’m writing you in the hope that you might tell me where my mistake is in the changekey-process for a 0xAA authentication. I read all the above comments (and learned a lot of them…thanks for that !) on this topic but I am not able to find my mistake.

I created an application (application 01) with several AES keys which all have the standard value 00…00. The application was created with the “CA 01 00 00 0E 85” command. Changekey should change one of them, but it does not. I authenticate with the application master key and get a 0x1E error.
The following data is used:

I should explicitly remark that the authentication procedure works perfectly. My initial remark from above “I authenticate with the application master key and get a 0x1E error” might be misleading:
Not the authentication but the changekey spawns that 0x1E error.

And I found a typo. The authentication takes place via 0xAA (and not 0x0A). I use the AES method.
Do I have to submit the CRC values in LittleEndian format or in BigEndian ? I tried both variants and still got the 0x1E error.

Hi Morris,
İf the card is a virgin card you use the default key
all zeroes and you have to authenticate with the
command code 0X0A and use DES-3DES algorithm
for decryption.If you want use AES encryption
with the new key you must make the 2MS bits of
key number 10.In your case the command string
after authentication with 0X0A should be:
C4 + 81 + 3DESdecr with session key(newkey+
CRC16+padding).
Goog luck
Mustafa

I’m newbie in Desfire EV1 card.
In my project, i used the reader PN512.
I’ve done following: REQA, CL1, CL2, RATS, PPS. Everything’s ok.
But there is no answer from PICC when I implement to select the application:

– The last 2 bytes:
00 77 -> FIFO Level after read command – The response of SelectApplication 5A 00 00 00
-> They should be: 01 00
It means that there is no answer from PICC after SelectApplication command

Hi Trong,
I see that you enable CRC for TX and RX within
commands RATS and SELECT.Why do you disable
CRC in Select Application command.With the
instructions I have mentioned previously I always
can select application.
Mustafa

And also follow datasheet of MF3ICD40, i don’t see CRC was appended follow the native command frames.
However, I’ve also tried with CRC, but the results are same, there is no answer from PICC.

Do you think the commands of Desfire EV1 and Desfire are same?
Now I’m working with Desfire EV1 (MF3ICD41) but using the commands of Desfire (MF3ICD40).
Because I don’t find any datasheet about MF3ICD41 on Internet.

Follow the datasheet, it seems too easy to implement some commands as GetVersion, SelectApplication…
I see the native commands are not too different from other commands like REQA, RATS, PPS…But in fact…

Please see the code again and help me to find if i’ve missed any step.
Thank you very much.

Hi Trong,
yes you are right the 0A’s schould be 09,but
1D is correct (ManualRCVReg 0x1D).Without this it
doesn’t work properly.I have seen your conversation
at the above link.In my code I have also a
routine for exchange data with picc usin T=CL protocol.
But I am not sure whether it is neccessary ,I
have to test it.But it takes some times because
I have to make some changes on my test pcb.
I let you know when I have the result.
Mustafa

Hi all ,
I need help in implementing ISO-7816 command set supported by MIFARE DESFire. I am able to implement basic native commands but implementing iso commands is seeming difficult.Can someone give an example for implementing APPEND RECORD Command(INS-‘E2’).

I got a problem about ATS.. Here i am trying to use configured ATS with my Desfire EV1 card… But i need to get my Old ATS(ATS already in the card) and Append before newly configured ATS data such as

[Old ATS] + [My New Data] = Newly configured ATS.

What i need to know is how i get the ATS from the card.. In specs they provide that command begins with E0 will give ATS… But i unabl eto do that.. Please note that i use a ACS PC/SC reader to retrieve ATS.. Please help me ..

Hi Tom,
the format for request answer to select command is :
E0 Parameter CRC0 CRC1
The high nibble of the parameter byte is maximum
frame size and the low nibble is CID (logical
number of addressed PICC).
Mustafa

Hello all! First of all i would like to thank all the people that have shared here their information🙂
I have successfully done some basic operations of desfire card like authentication, file creation/read/write. I have been faced a really strange problem. I have created i std DataFile with the appropriate command :
Command: 91 CD 00 00 07 00 00 0E 0E A0 00 00 00
Response: 91 0E

I know the error means “Insufficient NV-Memory to complete command” , the weird thing is that i have successfully created one std data file at first. Then i deleted it and tried to create a different one (with the same FileNo), every time i was trying to create the file i was able to use less file size until now that i can’t use any file size! I tried even to remove the application and create it from scratch and now i am getting the same error at the create Application command! Is that the normal behavior of the card, should i try to format it?
Any help will be really appreciated!
Thanks for your time anyway!

Hello ali! The command you are looking for is the GetApplicationIDs(). The command code (without wrapping) is 0x6A. If you send this byte to the card you will get a response with the application aids! The first response will have untill 19 Aids, if your card has more than 19 applications the response will start with byte 0xAF which means that you have to send the byte 0xAF to the card to get the rest of the aids.

Hello Giwrgos .
Thank you.
I think 90 6a get the AID of a Desfire card. I send this APDU and receive all of AID of a Desfire card.My problem is what can i get the AID of the all of applets on a SAM card.If your answer is 6a would you mind specify me the calss and instruction of this command.

I am having a problem with Authentication of AES. Really I am trying to decrypt the message after authentication. My authentication is a success and I am trying to decrypt the return message and verify it against RANDA and I can’t seem to decrypt it properly. I have managed to do this successfully with DES. I am pretty sure that it has something to do with my IV for AES. I start with 16 byte 0x00 array to encrypt the message after that I am not sure what to use as my IV. Any help would be greatly appreciated

A bit advertising but could be helpful for some people. Just started a new open source sdk project (LGPL license) for RFID development with various chips and readers supported.
Developed in C++, can be called in C# through a COM layer: http://liblogicalaccess.islog.com
DESFire en DESFire EV1 support, but key diversification and SAM still need to be implemented.

I’m trying to create standard file after the authentication (1A). Authentication works, I have right crc algorithm, but when I send the command i get 917E response: length error. I’m using DES encryption

Hi Miha,
I don’t know wether you have solved the problem
already.As far as can see, the issue is that you
haven’t append the CMAC.If you authenticate
in TDES stnadard mode ( with command 0X1A)
you have to append CMAC.
Mustafa

Hi i am doing AES authentication using java(not using native commands) so i refered the NXP documentation.and i also use SCL010 reader to read mifare desfire ev1 card read and write.so i am new to nfc related java secure element development.so i read the authentication flow and how it works.i already implemented the java library for read the data from desfire card.can anyone tell me how to authenticate using java (if have any code implementation it will help so much)

Mustafa, If you are still monitoring this blog I was hoping I could get your advice. I have come back to trying to change the key on the card after a long break because of other project, and I still get this integrity error 0x1E.

After looking at a lot of the other comments on the blog, I figured it must be 1. Generating the session key, 2. the method used for encryption 3. the chaining used when actually attempting to change the key.

At first I assumed it must be something wrong with my changekey function an generating the apdu, but I have tested the output with all the relevant data i can find on this blog and it matches the output. That also means that my encryption functions should also be valid if they are matching all the valid encrypted output I have seen on this blog. So the only remaining cause I can think of is that I am generating the session key incorrectly. But I cannot see where this is occurring.

Hi Zack,
I think your DES decryption algorithm
is not correct.When decrypting your new key
with your session key
(18-A4-50-9E-48-54-77-A8-
18-A4-50-9E-48-54-77-A8) I have got :
R2=F7-11-62-12-75-8B-21-14
Don’t forget you have to decrypt
your data when sending to the PICC.
Mustafa

Hi Mustafa, As it turns out I was using an incorrect previous key for the operation. (It was all 1s and not all 0s) I have fixed it but I am still getting the same error. Also note that by changing the old key being used to the correct one, my output data matched the data you stated in your previous comment. So with the latest attempt I got the following data, using the same code that I used to match the input data to your output:

If this is correct this time, then I can only imagine the problem being with generating the session key. But having said that if there was a problem handling RNDA and RNDB I would imagine that the authentication procedure would have failed.

But I use the exact same code I used to get
R2 = F7-11-62-12-75-8B-21-14
using Session key = 18-A4-50-9E-48-54-77-A8

Literally the only thing I have done to the code is switch out the old session key for the new one and I get the R2 I gave you in my last message. How can it be correct in one case and not the other given that the session key is the only thing that is different?

Hi Zack,
sorry I couldn’t answer earlier,for I was so busy.
I checked your data again and you are right
your calculation is O.K.Last time I made a
mistake when copiying your session key in
to my program.The 1E (integrity error) has
to do with CRC error.It has nothing to do with
session key.If you successfully authenticate
then the session key is O.K.I checked your
CRC wich is also correct.
Are you changing the key with which
you authenticate.If the key number you
are authenticating with is different then the
number you want change then you have to
proceed as follows:
16 Bytes new key xored with the old key +CRC16
of the old key xored with the new key +CRC16 of
the new key +padding.
I hope this information helps you,
good luck.
Mustafa

Hi Mustafa,
Thanks for trying. Yes I am trying to change the masterkey from the default all zero key. So I am authenticating with the all zero key (slot 0) and trying to change that to the one I have been typing out in the examples I have been posting :S

Hi Ali,
Like Zak I am using the omnikey 5321 v2 and wrapping the command but keep getting the CRC / Mac error. I have attempted both native and ISO mode and cant get it to change from default key values to my new key. I would be interested to see how you done it.
Paddy

I have done some tests and found the solution! I have found that if the data length are max 47 bytes i can write big files without problems! So instead of the 52 bytes limit that is written on Phillips Product Specification document the actual limit is 47 bytes for the first command and 54 (instead of 59) for every other!

Here, you have defined that you would be using only 4 keys in your application. In your create std data file command just try using numbers between 0 – 3 for the access rights and i think this should get you through.

I have managed to succesfully des authenticate a desfire EV1, then change the PICC master key to AES. What I am struggling with now is the process to authenticate the AES key. (This is mainly because I haven’t yet got NXP to reply so I can get the documentation under an NDA.)

I have working code for aes encryption & crc32 but it is not clear to me going through the examples above what the actual steps for aes are. Can anyone please explain the process and provide some example outputs so I can use them to verify/get the code in the right sequence?

Just to be clear; I’m using desfire EV1, aes and trying to authenticate the PICC master key and getting the response 0xAE so the card is seeing what I’m sending but doesn’t like it. I don’t want to send any code output because I think it is completely wrong at this point and would confuse.

I have been trying to write encrypted data to Desfire EV1 using SAM (AES encryption) but I am unable to do so.

As with SAM, it can encrypt at the max 0xEC i.e. 236-bytes in one frame for AES encryption. But for example i want to write around 456 bytes of data to the Desfire card. So I am not able to figure out how the second frame should me made.

But, now I assume that this frame format is wrong hence the encrypted value is wrong and therefore after writing to DESFIRE card this entire encrypted value, I either get 0xAE (Authentication Error) or 0x7E(Length Error) as the error.

I think somewhere the DESFIRE header that is passed in the next frame is wrong. Kindly help me to identify the problem here.

With trial and error, I seem to have got this SAM encryption proper.
As I had guessed, the problem was in the frame formation for the 2nd chunk of 228 -bytes. The DESFIRE header was causing the problem.

I can surely help you with it. But before that, can you tell me the actual configuration of the SAM that you are using i.e. (a) AV1 or AV2 mode
(b) present key configuration (c) what type of key you are intended to use etc.

Also, tell me have you worked with SAM or DESFIRE EV1 individually before?

Dear All,
I am struggling with AES perso for Desfire. i am simply can not prodcue the correct CRC32 result. I try to get the above written data:
C40001020300000000000000000000000000
CRC32 is: fd 25 74 8e

But I have no success.
Could you please sombody send me a tool which calculates the correct CRC32?
Or what are the parameters: ploynom, XOR value, init vector, etc.
thank you in advance for any help,
Andras

Hi there,
what are you using for communicating with the
card.What you send for authentication is not
right.Apdu command for authentication is:
90 0a 00 00 01 00 00
At the beginning of this blog you can see
the details.
Mustafa

Hi again;
I created an application with ‘CA3333330F0A’ …Then I sent 90-0A-00-01-00-00 (begin authentication procedure)…
it responsed me 1D-A4-56-2E-78-43-F6-CB (encrypted rndB)
Now I should Decrypt and build Rondom B..
I am sending to picc 1D-A4-56-2E-78-43-F6-CB (encrypted rndB), it returned 67 00..it is wrong way.
How can I decrypt rndB?

How to communicate with DESfire EV1 with AES encryption? Does anyone have the java code? Im using Android device and don’t have a clue what to do after selecting the application and sending the 0xAA command. It just returns some AF+(16bit). How to proceed from there?

I am doing desfire programming in java. I can already do everything under single DES cryptography(with default key all 0x00).

But now I should use real 3DES cryptography, that is, the key is random now. And I face the authentication problem now.

Actually, the reason is that I don’t quite understand the 3DES flow diagram when the card send data and the pcd send data. The document says there are some differences as the card always use encrypt mode.

With 3DES, we should doing 3 times DECRYPT_MODE DES(xor before des) when sending data to PICC and doing 3 times DECRYPT_MODE DES(xor after des) when receiving data from PICC?
Oh I am confused!

Hi ridrix.
I’ve been trying to implement a Delphi library to communicate with MIFARE DESFire EV1 cards using this post as my guide. I’m almost certainly sure I’ve implemented CBC Send Mode and CBC Receive Mode correctly, but my card keeps responding with 91AE to my AF DES(RndA+RndB’) command. The weird thing about my card is, when I request Key version for master key of PICC, I get 88h. Is this the expected response for a new card, and I should keep investigating my authentication code, or my card’s PICC master key has somehow been changed?
I’d be more than happy to paste my code here, but it would clutter the blog.

Hi Iman,
I have checked your data and I have got same
results.
Now there are some possible reasons for the
AE.Your key may be wrong or type of key is wrong.
To get the type of key you should send Get Key
Settings command (45) to the PICC.You will get
3 bytes (Status,Key Settings,Max No.of Keys) as
response.The combination of the two MSB’s
(bit7 and bit6) of Max No.of Keys gives you
the type of the key type.If it is 00 you should
authenticate with 0A,if 01 you should
authenticate with 1A and if it is 10 you should
authenticate with AA.
Good luck
Mustafa

Hi Mustafa.
I finally got my hands on a bunch of new DESfire cards and successfully authenticated with them. Now I’m trying to change the default master key, and I’m getting integrity error. Here’s the communication trace:

Hi Iman,
I don’t know how you came to data you have sent to PICC.
For changing the key you have to proceed as follows:
You have to calculate crc16 over the new key,append it
to the new key and after padding withh zeroes to come to
multiple of eight bytes send it to PICC in CBC send mode.
For your session key is eight bytes long you have to
use single DES decrypting.I have made a sample
calculation with your data so you can check your
code.

Hi Teguh,
you get the error code CA,when you send the PICC
the next frame before the previous command
is executed and the response is sent.Do send all
the challenges to the PICC step by step in the
order I have mentioned above and wait
for the response each time.
Mustafa

Hi Mustafa
I’m trying to create an application with ISO files names on my DESfire, but I’m getting 9E error (parameter error) when I set the Key Settings 2 bit 5 to 1. If I use 0x0E as KeySettings 2, the application is created successfully, but if I use 0x16 or 0x1E, I get 9E. Do you have any idea?

Thanks a lot🙂
Can you help me with another issue? Now i want to create a standard file with this APDU: “90CD00000900434400000808000000” but I’m repeatedly getting PARAMETER ERROR. My Access Bits is 1000h (key #1 to read and application master key to modify), and my file size is 64 bytes. Am I calculating something wrong?

Hi Titin,
your crc16 is correct.I think your session key
is not correct.If you are trying to change the
default key all zeroes than the first
half of your session key be equal to the
second half.
Mustafa

Hi Teguh,
the way you are proceeding is not correct.
To your authentication command answers
the PICC with AF EncNo(RndB) which is
in your case AF 28D938B2581F0A1B.
Now you have to decrypt this to get RndB
and build RndB’.I think your key is all zeroes:
I have decrypted it so you have a data
to check your decrypting algorithm.
RndB is in this case :8C A6 4D E9 C1 B1 23 A7
RndB’ is A6 4D E9 C1 B1 23 A7 8C.
You have to decrypt your RndA, build RndB’
and exor both.Then you have to decrypt it.
At last you send AF+dec(RndA)+
dec(dec(RndA) XOR RndB’) to the PICC.

Hi Titin ,
I am out of office now and I will be back on
monday and can check you data then.
For checking I need the log of all conversation
between reader and PICC.
Examining your data I can say that you are
making something wrong,because it is impossible
that you are getting same results.Each time
you authenticate you get another sessionkey.
With new session key your decrypted data
should be different from previous data.
Please write all the communication as
I have written plus your session key,
so I can verify the data and can find where
the issue is.
Mustafa

Hi Xurniati
I have checked your data.Your crc16,your
decrypting algorithm and your building
cbc are all correct.The issue is your
building the session key.I think your
Rnd A is 09 08 07 06 05 04 03 02.
That means the first half of your session
key should be 09 08 07 06 but you
have used the first half of the decrypted
RndA .I couldn’t verify your RndB therfore
I can’t say what the second half should be.
If you correct the algorithm for building the
session key you will be able to change the key.
Mustafa

Hi Xurniati,
if you can authenticate succesfully then you have
all the data to build the sessionkey.First half of
RndA (in your case 09 08 07 06 ) + first half
of RndB (the DES decrypted data of the
response of PICC to your authenticate command).
For DES has a 16 byte key you have to
put the above mentioned data two times to
build the session key.
Write down the complete log of authent
procedure so I can find out
where the issue is.
Mustafa

hi mustafa,
thank you so much for your answer , finally my authentication process is success! now i have a session key.

but now i need to change key, according to http://read.pudn.com/downloads165/ebook/753406/M075031_desfire.pdf
to change key i should build :
command + key_no + 24 bytes data. but i confuse how to building 24 bytes data is .
i see your previous comments says it should be 16 bytes + 2 bytes CRC + 6 bytes padding. i send it but i get following error 1E

its crypto algorithm for change key should be done in single DES ? and i must be use 8 bytes session key ?
can you show me in a step by step examples to help me understand?

Hi Teguh,
1E means integrity error.You get this error
message if either crc16 is wrong or
the padding bytes are not correct.So you
have to check your crc16 algorithm.The crc16
of 00 to oF is 77F5,verify your crc16 code.
If it is correct then something is wrong with
DES decryption so the PICC calculates
another crc16 value.Then you have to check your
session key or look for other issues .
Write down the log of complete communication
so I can verify you data.
Mustafa

Hi Teguh,
if you authenticate with default key all zeroes
then your session key is as follows:
first half RndA + first half RndB + first half
RndA + first half RndB(totally 16 bytes).
For the first half of your session key is equal
to the second half you have to use single DES
decryption.
Mustafa

Hi Teguh,
yes you can change it,but don’t forget
the first half of your key is no more equal
to the second half therefore you have to
build your session key accordingly and use
3DES for decrypting.
Mustafa

hi mustafa ,
thank you so much for your help,
i can change it to all zeros and even i can change to AES, but im failed to change AID key level to AES, is AID key cant change to AES ? thank you so much in advance🙂

Hi Teguh,
now I know where the issue is.The type of
the key of an application you determine
when creating the application.The bit
numbers 6 and 7 of Key Setting No.2
indicate the crypto mode.
You can change the crypto type
of only PICC master key the way you are
trying to change.You have to delete the
application and create a new one with
appropriate Key Settings No.2.
Mustafa

Hi Teguh,
why 0XF1.If you want to use only one key
within this application the Key Setting No.2
should be 0X81,because bit 7 and bit 6
of the Key Setting No.2 defines the
crypto method.If you want to use AES
encryption method bit 7 should be 1
and bit 6 should be 0.
Mustafa

I’ve successfully authenticated to a Mifare Desfire EV1 card using AES-128.
After the authentication, I’ve managed to ask for the UID, but as it apparently comes back encrypted,
I’ve not managed to decrypt it properly. Hope you can help me.

Some bytes, like app ID and AES key are shown as xx as they aren’t public. The flow is described below:

Hi JP,
I don’t have any experience with java for
I am writing codes in C for microcontrollers.
I wil give you some information which may
help you to find the issue.
First thing is you don’t pass any parameters
to PICC when sending cmd 0X51.Therefore
I’m not sure about the variable 0X80 and
14 zero bytes.
The PICC answers with 16 bytes : 7 bytes
UID 4 bytes CRC32 and rest padding.
If you check your code accordingly
you will find the issue.
Mustafa

Ok, thank you. I will try it more, and this time mostly using only 0x51 as the command, as it probably shall be just 0x51. And I’ll mostly pay attention to the first 7 bytes.

One thing: “The PICC answers with 16 bytes : 7 bytes
UID 4 bytes CRC32 and rest padding.” you said. I’ve been mostly trying to decrypt the answer I got from sending 0x51 (16 bytes after the first byte that’s 0x00), so… Should I actually still send something and receive an answer, or am I trying it the right way now (decrypting the answer got from 0x51)?

Hi JP,
the first byte 0X00 means success and the
following 16 bytes are the encrypted
UID… . On error you would have
an error code instaed of the zero as
the first byte.You have to decrypt the
16 bytes after the zero.If you find the issue
please share the result.
Mustafa

I was long unsure about the sessionKey, but then got the right one after researching some more. It appears to be:

– byte[16] of which indexes 0…3 and 8…11 are from the reader’s (mine) generated rndA which are also parts of the sent rndAB within the authentication, and indexes 4…7 and 12…15 are from rndB which is built by decrypting the answer to 0xAA (decrypting the 16 bytes after the AF byte).

Then I also noticed that I had been sending GetVersion command in between the authentication and the GetUID command, and that probably changed the IV, which is 16×00 just after the authentication, just like in my codes for decrypting the UID.

So, my function public static byte[] decrypt_UID() shown above seems to work with the sessionKey built how I explained in this post. Like Mustafa said, the first 7 bytes of the decrypted UID are the actual, real UID.

Thanks for trying to help me before, and I hope this helps someone else now too!

Hei. I am new to desfire ev1 coding.
This forum has been a gold to me.
Managed to authenticate, get the right session key, calculate crc16 and change any key.
The problem is (what i cannot find in this forum or anywhere on internet), I am unable to authenticate with my new key. (recieveing AE)
for example after changing to this key:
00000000000000030000000000000003
i get the right keyversion which is ‘1’ (00000001)
for this key:
03000000000000030300000000000003
i get keyversion ’81’ (10000001)
this implies that the key has been changed to the right value

but i am still unable to authenticate
I am running out of ideas
for authenticate command i use bruno’s comment on March 5th, 2011 at 04:11
for changekey command i use Mustafa’s comment on March 7th, 2011 at 16:56
I also noticed that i cannot change the password if at least 1 of the bytes is >= ’80’ i recieve 1E error
(for crc16 i use init=0x6363,poly-0x8408)

Bit more information, the error appeared to start after I sent a formatPICC command (0xFC). Unfortunately I missed the status response sent the first time I sent the command. Any further sends of the command just generate the 0x01 response.

When sending the formatPICC command does this delete the Master Application 0x00?? I didn’t think it would. Has anyone ever had any problems after sending formatPICC command.

Hi Chiase,
you have authenticated with key number 0 to
change key number 1.You have to bitwise xor
the current key with the new one add the new key
version and build crc32 over command + key number
+ xored data + key version and additionally a crc32
of the new key is appended.After padding you
AES decrypt the data and send it in cbc mode to the
PICC.
Mustafa

Can someone please confirm / correct how the IV works while using AES.

I understand during authentication I start with an IV of 0x00 (16bytes) that the result of each encryption / decryption operation is used as the IV for the next encryption / decryption operation.

After authentication the IV is reset to 0x00 (16bytes)

My first command I send to the card I calculate the CMAC which then provides me with an IV, when the card responds I use the IV calculated from the Send process as the IV for calculating the received CMAC. Again the result of the CMAC calculation will be used as IV for the next CMAC calculation. I know this is correct as I can send / receive multiple requests and the CMAC always verifies.

When I’m doing an operation such as ChangeKey / ChangeKeySettings that requires the data to be encrypted, do I use a blank IV of 0x00(16 bytes) or do I use the IV that I calculated from my last CMAC operation. I also assume that the result of the encryption (last block encrypted) becomes the new IV for future CMAC calculations etc

Hi Chiase,
sorry I was busy therefore I couldn’t answer your
earlier comment.To make it clear TDEA means triple
DES encryption algoritm.There is no 2TDEA
or 3TDEA but 2KTDES or 3KTDES.2KTDES has
a key which is 16 Bytes long and 3KTDES has
a key which is 24 bytes long.You start always
with IV all zeroes.Please write clearly what you want
to do.If possible write the whole log.
Mustafa

Hi Chiase,
I am not in the office,so I cannot check your data.
There are some essential errors in your proceeding.
First thing:If you want to use 3K3DES then you have
use standard mode of encrypting and decrypting not
the native mode.In native mode you decrypt the data
when you receive it or you send it.In standard mode
you decrypt the data when you receive it and
encrypt the data when you send it.Second thing:
Your TDES algoritm is not correct.
3DES Decryption: Dec (K1) Enc(K2) Dec (K3)
3DES Encryption: Enc (K1) Dec (K2) Enc (K3)
For your key is all zeroes the first 8 bytes are
equal to last eight bytes when you encrypt
or decrypt.
Mustafa

Hi Chiase,
If you choose 00 01 02 ..0f as RndA then you
use this RndA for building the session key.If the
RndA which is sent by the PICC doesn’t match
with your chosen RndA then the authentication
is failed.
Mustafa

I see you. But if the authentication is failed, the card will not response the encrypted Rnd_A. Because I send encrypted (Rnd_A || Rnd_B’). I only receive second 8 bytes of Rnd_A to be right (it is 09 0a 0b 0c 0d 0e 0f). It’s strange!

Hello!
I’d like to use “INTERNAL AUTHENTICATE” on a DESfire EV1 card but I wonder what the required steps are before this command works.
I mean, do I have to create an application first? Do I need to select that application before?
Please help🙂

You should automatically be in application 000000 when connected to the card so you should be able to authenticate with key 0 without any additional steps. I think you might have to do that before even being able to create an application.

Hi Xbego,
you don’t put the authentication key anywhere.
You use it for encrypting and decrypting.The
communication between card and reader is
made in encrypted way.Therefor you have to
know the authentication of the card.Otherwise
you cannot communicate with the card,and
you get the answer AE (authentication error).
Mustafa

Hi Xbego,
I need your RndA (random number).In your
previous comment you have written
Random Key : 22115544.If this is your
random number RndA then it is wrong,
because it should be 8 bytes long.
For testing your DES decrypting algorithm
I have decrypted PICC response (51 76 ae
e7 00 d0 7a 59) and have got as
RndB:27 32 E4 F1 8F 82 8D 57
If you send me a new log and your RndA
I can verify your data and find where
the issue is.
Mustafa

Hi Xbego,
The first part of your payload
( e4 0f 31 68 09 da c6 eb 06 86 8f 49 e2 73 e6 7c)
is correct,that means your DES decrypting
algorithm is correct.But I couldn’t realize
how you have got the second eight bytes.
The correct way of proceeding is to use
CBC send mode.To decrypt the second eight
byte you have to exor the second eight bytes
(06 86 8f 49 e2 73 e6 7c) with the current
IV (e4 0f 31 68 09 da c6 eb) and then DES decrypt
them.The result should be the second eight bytes
of your payload.
Mustafa

Hi Chiase,
in fully enciphered communication mode
you have to use CMAC’ing.You have to
build CMAC on cmd+file No.+ offset + length.
And as current IV you have to use the last
IV of authentication.You don’t send this to the PICC.
You have to calculate this for updating the IV.
Mustafa

Now, I can calculate CMAC correctly. I use CMAC as IV for decrypting received data from DESFire EV1. However, I’m facing a problem. If I read less 12 byte (DESFIRE responses 1 block, 16 bytes), decrypted data includes zero bytes and 4 bytes CRC32. If I read more 12 byte (DESFIRE responses 2 blocks, 32 bytes), when decrypting the data, all is zeros, there are not CRC32 bytes. I use CBC AES mode with IV is from CMAC.
Could you tell me why?

2. Append CRC32 to the data only without command, fileNo, offset and length.

-> ‘data+CRC32’

3. Padd the ‘data+CRC32’ with 0x00 (NOT 0x80, 0x00…) to a multiple of 16 Bytes, if needed.

-> ‘data+CRC32+Zeropadding’

4. Encrypt ‘data+CRC32+Zeropadding’ with AES

-> crypted( ‘data+CRC32+Zeropadding’ )

5. Send to the PICC

->’cmd+fileNo+offset+length + crypted(data+CRC32+Zeropadding)’

Keep in mind that you can only transfer 60 Bytes in one send. So for the first send you have the 8 Bytes from the command, fileNo, offset and length + the first 52 Bytes from crypted(data+CRC32+Zeropadding).

After the first send you have 1 Byte for command 0xAF and 59 Bytes for the rest of crypted(data+CRC32+Zeropadding).

PS: If you have doubts about IV management, try to read the same data multiple times in a row. If this works and your write data doesn’t, the error might be at some other point.

I can write data exactly. Thank you very much!
Regarding IV management, After successful authentication, I calculate CMAC and use it to XOR with decrypted data from a file (read file), I obtain correct data. However, I continue reading data from the file and use the CMAC do XOR with decrypted data, I don’t get same data. I think it is due to CMAC be wrong. How do I update CMAC?

This is wrong. The initial Vector is set by the encryption during the CMAC calculation. You should not change it by yourself.

I guess what you think is that the IV = CMAC, but that’s not true. It’s more like CMAC = IV. And that’s not the whole truth. IV normally has 16 Bytes and CMAC only 8 Bytes. Ater the shiftig operations for the MAC you have to encrypt it to get CMAC. And after that encryption your CMAC is already calculated, because it’s a part of the IV. Namely the first 8 Bytes.

I can authenticate and write fully enchiper using AES key, but could you explain more detail about how to calculate CMAC?
Like you said shifting operation of MAC, which shift and how many is it? And after that encryption using what key and what’s the IV? thank you.

Thank for your reply! I understand what you say. “CMAC is first 8 Bytes of IV during the CMAC calculation.”

However, as sending two reading data commands continuous (file No, offset, length is same), I receive two different data packages from card. So, I can’t apply the IV_1 to decrypt second data package (as last comments, it is en_data_2). Because it decrypts other result.

Thank your reply!
Yes. I want to use many Read data commands after authentication successful.
I try the your guide by using en_data_1 as IV for decrypting en_data_2 (because it is CBC mode) or re-calculating IV using en_data_1 to be initial vector during CMAC calculation (default it is all zeros). But I’m not successful!
So, the application in the future, I think I will forbid using many Read data commands on the file or must re-authenticate before reading data for resetting IV calculation!

I also have a question about Read Data Command. I wonder the 4 bytes following data is CRC32 of data or Data||status? Because I calculate CRC32 of the data (0x11, 0x11, 0x11, 0x11, 0x00, 0x00, 0x00, 0x00) to be 0x92, 0x22, 0x44, 0xfd while result that card response is 0x92, 0xca, 0x7f, 0x1b.

I think you might missunderstood the concept of the CBC mode and the initial vector. I was also at this point and had the same thoughts about re-authenticate to read the card. But this will create more problems at other points.

So I’ll try to explain more detailed.

You don’t use the en_data_1 as IV for en_data_2!!! You should never write something into it!!!

Thank for your reply!
I’m clear what you say.
In the CBC mode decryption, last encrypted data is XORed with current decrypted data. Right?
In the my case, en_data_1 is only 16 bytes. So , I use it as IV for decrypting en_data_2 (because of CBC mode, last encrypted data of AES_DECRYPTION_CBC is en_data_1. Right?)
I have showed all my data. So, could you re-calculation the them? What value is the IV for decryption of en_data_2? I know I bother you so much! But I calculated many way, the result is not as my expect!

the solution is simple. You have to calculate CMAC again after the second Read Data. If you’re authenticated, then you have to calculate CMAC for almost every command if you want to verify the transmission.

I have a AES application. After authenticating with PICC master key, response from card includes parameters and a CMAC (8 byte) (i.e, response of getFileIDs command is 00(status), 04 (File ID), 03, 06, 05, (CMAC 8 bytes) f9, 8e, 1d, 8d, 97, 0a, b5, 75 ). After the getFileIDs command, I read data of the file and decrypt it. As the last problem, I can’t obtain right data. (if I read data after authenticating successful, I decrypt the data exactly.)
I assume the problem is wrong IV. In the case, after information commands (such as getFileIDs, getFilesetting, getKeysetting, getApplicationIDs, v….), how is IV calculated?

I solved the problem. I have to calculate CMAC for the command, use it to calculate CMAC of response from card. Finally, CMAC of response is used to calculate CMAC for next commands. I think now I can manage CMAC (or IV).

[…] word on the problem. Going one level deeper, DESFire protocol can operate in 2 different ways: “native” mode or “standards” mode. In standard mode the protocol messages are actually compatible with ISO7816. Cards support this, […]

Hi Mileaux,
I think the issue is your session key.You are
authenticating with default key all zeroes.
You have to use single DES and the first half
of your session key should be equal to
second half.(RndA(0-3 bytes)+RndB(0-3)+
RndA(0-3 bytes)+RndB(0-3))
In your case :
23 47 C1 55 E2 34 D6 F7 23 47 C1 55 E2 34 D6 F7

Hi 2 All
I can do change key setting when the first 8 bytes of key are equal to the second half.But My question is that : ” How can I do change key setting when the first 8 bytes of key are defferent from the second half.

Hi Ali,
changing the key settings is independend from
type of the key.If the configuration changeable bit
of the current keysettings is set you can change
the keysettings after successfully authentication
with the master key.
Mustafa

Hi mustafa
thanks for reply
My question was about encryption
because as I saied when the first 8 byte of key are equales to second half I should use single des dycryption but when they are diferrent I try single des and 3des but in both mode I received 91 1e.How can I fixed it?